Open problems on cyclic codes∗∗

∗
Pascale Charpin

Contents
1 Introduction 3

2 Different kinds of cyclic codes. 4

2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Primitive and non primitive cyclic codes . . . . . . . . . . . . 17
2.4 Affine-Invariant codes . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.1 The poset of affine-invariant codes . . . . . . . . . . . . 22
2.4.2 Affine-invariant codes as ideals of A . . . . . . . . . . . 28

3 On parameters of cyclic codes. 34

3.1 Codewords and Newton identities . . . . . . . . . . . . . . . . 35
3.2 Special locator polynomials . . . . . . . . . . . . . . . . . . . 47
3.3 On the minimum distance of BCH codes . . . . . . . . . . . . 59
3.4 On the weight enumerators . . . . . . . . . . . . . . . . . . . . 65
3.4.1 The Reed-Muller codes . . . . . . . . . . . . . . . . . . 67
3.4.2 On cyclic codes with two zeros . . . . . . . . . . . . . . 71
3.4.3 On irreducible cyclic codes . . . . . . . . . . . . . . . . 83
3.5 Automorphism groups of cyclic codes . . . . . . . . . . . . . . 88
3.6 Are all cyclic codes asymptotically bad ? . . . . . . . . . . . . 90
∗
INRIA, Projet CODES, Domaine de Voluceau, Rocquencourt BP 105, 78153 Le Ches-
nay Cedex, FRANCE. e-mail: [email protected]

1
4 Related problems. 90
4.1 Some problems in cryptography . . . . . . . . . . . . . . . . . 91
4.2 Cyclic codes and Goppa codes . . . . . . . . . . . . . . . . . . 96
4.3 On the weight enumerator of Preparata codes . . . . . . . . . 104

5 Conclusion 117
∗∗
“Handbook of Coding Theory”, Part 1: Algebraic Coding,
chapter 11, V. S. Pless, W. C. Huffman, editors, R. A. Brualdi, assistant
editor.

Warning. The Handbook of Coding Theory was published in 1998. Some

research problems, presented as Open problems in this chapter, are solved,
or partially solved, today.

2
1 Introduction
We do not intend to give an exhaustive account of the research problems on
cyclic codes. Many are suggested in Chapter 1 and in several other chapters.
There are chapters which deal with a specific class of cyclic codes or with
related problems and it would be superfluous to say it again. Above all we
want to avoid a boring enumeration of the open problems; many are just
mentioned and could be solved soon.
Our purpose is to emphasize that this topic remains of great interest
for researchers in coding theory. It is a fact that cyclic codes are crucial
objects of coding theory. The involvement of Reed-Solomon codes and of
BCH codes in a number of applications is well-known. On the other hand
the generalized Reed-Muller codes are at the core of algebraic coding theory
and they should be considered as “classical”. The reader can be convinced
of the importance of cyclic codes by referring to the recent publications and
proceedings including as a topic Error-control Coding or, more generally,
Coding Theory. However there are famous old problems which have remained
open for a long time and we have chosen to focus on them. They essentially
involve questions of weights and forms of codewords.
Our concern is to place the problem in a large theoretical context. It
can be the general behaviour of group algebras, or of polynomials over finite
fields, or of the solving of algebraic systems. We want to show that general
tools can be used here in an extremely rich environment. Furthermore we
wish to point out any results on cyclic codes that apply in other contexts.
We give an elementary presentation, choosing simple aspects and basic
results. We don’t want to develop a theory, or even to suggest a method
precisely. It is because we have in mind that a hard research problem is
generally solved by building a theory for solving it. The main recent illustra-
tion of this fact in coding theory is the explanation of the duality between
Preparata and Kerdock codes.
We will often give results without proofs or with a sketch of a proof
because of the special subject of our chapter. Generally we prefer to explain
rather than to prove precisely. Following the same idea, we mainly treat
binary codes, which are simpler to handle. BCH codes and GRM codes
appear many times. This is because these classes impose the main filters of
the general class of cyclic codes — it is usual, when we study any cyclic code,
to begin by looking at their relations with BCH codes, or with GRM codes

3
when the code is primitive. For this reason, any result on BCH codes or on
GRM codes could have surprising consequences. In contrast, the Quadratic
Residue codes , which form a famous class with remarkable properties, appear
as a specific class.
The main notation and definitions are introduced in Section 2 and they
will be held to afterwards. However they will be specified again as often as
necessary. We don’t give a series of “research problems”. We think that
“comments” are more suited to our purpose. They are placed at the end of
the sections; short sections have no comments. Our purpose or our choices
are explained at the beginning of the main sections.
This chapter is not self-contained. We suppose that at least the intro-
duction on cyclic codes given in Chapter 1 is known. Our main reference for
the theory of finite fields is [102].

2 Different kinds of cyclic codes.

In this section we introduce cyclic codes. We present notation, basic defini-
tions and fundamental tools or properties. However our main purpose is to
describe the general context of our chapter.
Cyclic codes are defined as group algebra codes. We distinguish cyclic
codes and extended cyclic codes, primitive and non primitive cyclic codes,
simple-root and repeated-root cyclic codes. We then define several group
algebras, but we emphasize that the ambient space of the primitive extended
codes is the fundamental algebra. That is the field algebra, say A, in which
the extended cyclic codes appear as central objects. For this reason, we
explain how a non primitive code can be seen as a primitive code. We
also give an extensive study of the “cyclic ideals” of A, completing those of
Assmus and Key (chapter XXX).
On the other hand, any cyclic code satisfies a set of equations on an ex-
tension field, say F. These are stated by means of several Fourier transforms.
Any simple-root cyclic code is fully defined by this set of equations.
Therefore, the properties related with the structure of any group algebra,
especially of A, and the Fourier transforms, from such a group algebra to F,
appear as general tools for considering open problems on cyclic codes.

4
2.1 Notation
In accordance with Chapter 1, a cyclic code is viewed as an ideal in a poly-
nomial ring over a finite field; it is characterized by its generator polynomial.
In Chapter 1, the proper context for studying cyclic codes of length n over
the finite field k of order q, q = pr and p a prime, is the residue class ring

Rn = k[X]/(X n − 1).

Coordinate positions are labelled as 0, 1, . . . , n − 1 and the cyclicity is the

invariance under the shift i 7−→ i + 1. Our presentation here is not really
different because it is relevant also to the one-variable approach, as opposed
to that introduced by Kasami, Lin and Peterson in [85] where the cyclic
codes are defined as polynomial codes — such a code corresponds to a set of
polynomials in m variables. This approach, which is usual for the descrip-
tion of the generalized Reed-Muller codes, was later called the m-variables
approach [64]. In our approach, any cyclic code is always described by means
of polynomials with one indeterminate.
However we take into account the fact that the support of a cyclic code
is always a cyclic group G∗ , the group of the roots of X n − 1. Cyclic
codes are group algebra codes. So coordinate positions will be labelled as
α0 , α1 , . . . , αn−1 , where α is a primitive nth root of unity. The cyclicity
is the invariance under multiplication by α. Thereby the symbols of any
codeword are the values of the Mattson-Solomon (MS) polynomial on each
αi . The MS polynomial will play an important role: actually our definition
of cyclic codes is based on this concept.
Two finite fields are necessary for defining the ambient space. They are
the alphabet field k and the full support field F, the splitting field of X n − 1
0
over k. The order of F is q m , where q is the order of k. As q = pr , p is the
characteristic of the ambient space; the field F will be generally identified
with the field of order pm , m = rm0 .
By the notation G∗ we want to emphasize that the group is multiplicative
and does not contain zero; G∗ is a subgroup of the multiplicative group of
F. So the notation G means G∗ ∪ {0}. When the codes are primitive, G∗ is
exactly the multiplicative group of the field F and then G = F. For clarity,
if necessary, we will denote by GF (q) the finite field of order q.

5
2.2 Definitions
Let us denote by M the group algebra k[{G∗ , ×}], which is the group algebra
of the multiplicative group G∗ , over the field of order q denoted by k. An
element of M is a formal sum:
X
x= xg (g) , xg ∈ k .
g∈G∗

Addition and scalar multiplication are component-wise and multiplication is

given by the multiplication in G∗ :
!
X X
λ xg (g) = λxg (g) , λ ∈ k ,
g∈G∗ g∈G∗
X X X
xg (g) + yg (g) = (xg + yg )(g) ,
g∈G∗ g∈G∗ g∈G∗

and !
X X X X
xg (g) × yg (g) = xh y k (g) .
g∈G∗ g∈G∗ g∈G∗ hk=g

It is clear that the following map ψ is an automorphism between the algebras

Rn and M:
X
n−1 X
n−1 X
x(X) ∈ Rn , x(X) = xi X i
7−→ ψ(x(X)) = xi (αi ) = xg (g)
i=0 i=0 g∈G∗

where α is an nth root of unity. So any cyclic code can be seen as a group
algebra code, an ideal of M, say a code of M, the image
P by ψ of an ideal of
Rn . The shift of the codeword x is the codeword g∈G∗ xg (αg). Consider
the following k-linear map of M into F:
!
X X
ρs xg (g) = xg g s (1)
g∈G∗ g∈G∗

where 0 ≤ s ≤ n . Note that ρs (x) = x(αs ) for any x in M corresponding

to ψ(x(X)). Moreover we have obviously:

ρ0 (x) ∈ k , ρn (x) = ρ0 (x) and ρqs (x) = (ρs (x))q . (2)

6
Definition 2.1 Let C be a cyclic code of length n over k. The defining
set T of C is the largest subset of the range [0, n − 1], invariant under the
multiplication by q (mod n), such that any codeword x ∈ C satisfies

ρs (x) = 0 , ∀s ∈ T .

The set T is a union of q-cyclotomic cosets modulo n; any s ∈ T corresponds

to a zero of C, say αs , (see Chapter 1, Section 4).
Note that [0, n − 1] is the set of integers i with 0 ≤ i ≤ n − 1.

Let C be a code of M. It is called a simple-root cyclic code when the

characteristic p of the alphabet field k does not divide the length n. As is
stated in the next definition, a simple-root cyclic code is uniquely defined by
its defining set.

Definition 2.2 Assume that n is prime to p. A cyclic code C of length n

over k, with defining set T can be defined as follows :

C = { x ∈ M | ρs (x) = 0 , ∀s ∈ T } .

The dual C ⊥ of C is the cyclic code with defining set

T ⊥ = { s ∈ [0, n − 1] | n − s 6∈ T } .

If p divides n, the code is said to be a repeated-root cyclic code . Such a

cyclic code has length n = p` δ, for some ` and some δ prime with p. So the
polynomial X n − 1 is equal to (X δ − 1)p . Hence it has δ distinct roots with
`

multiplicity p` in its splitting field. That means that the general form of the
generator polynomial of such a code is
Y
g(X) = (gi (X))ki , ki ∈ [1, p` ] ,
i∈I

where gi is the minimal polynomial of αi over k. In this case the defining set
of the cyclic code does not define the code uniquely – i.e. the condition on the
codewords given in Definition 2.1 is only a necessary condition. Henceforth,
in the remainder of the chapter, a cyclic code will be implicitly a simple-root
cyclic code, assuming that gcd(n, p) = 1. Although we will mainly treat
cyclic codes, the repeated-root codes will be mentioned later several times.

7
 The Fourier transform of any codeword x, referred to as the Mattson-
Solomon (MS) polynomial , will be denoted by Mx (X). It is the polynomial

X
n−1
Mx (X) = ρn−s (x) X s , (3)
s=0

whose coefficients are in F. The inverse of the MS polynomial is calculated

by means of a simple argument. It is important to notice that Mx can be
viewed as a mapping from G to k. We have
!
X
n−1 X X X
n−1
Mx (g) = xh hn−s g s = xh (gh−1 )s .
s=0 h∈G∗ h∈G∗ s=0

P
For any ξ ∈ F which is an nth root of unity the value of n−1 s=0 ξ is 0 if ξ 6= 1
s

and n otherwise – since it is equal to (1 − ξ n )/(1 − ξ). So we obtain:

Mx (g) = (n mod p)xg , g ∈ G∗ . (4)

One obviously deduces from (4) that when gcd(p, n) = 1, the weight of x
is n minus the number of roots of Mx (g). Note that one can define the MS
polynomial of codewords when gcd(n, p) 6= 1, but it is generally not invertible.
So it is of little interest for the codewords of a repeated-root cyclic code. Any
codeword of M can be characterized by its MS polynomial but this tool is of
most interest for the study of cyclic codes. In accordance with Definition 2.2
and with (3), (4), we can define a cyclic code by means of its MS polynomial.

Theorem 2.3 Let T be a subset of the range [0, n − 1] which is invariant

under multiplication by q (mod n). Denote by L the subspace of Fn whose
elements are the n-tuples (Λ1 , . . . , Λn ) satisfying

Λqs mod n = (Λs )q and Λs = 0 for any s ∈ T ,

Then there is a one-to-one correspondence Φ between thePcodewords of the

n−1
cyclic code C with defining set T and the set of polynomials s=0 Λn−s X s , (Λ1 , . . . , Λn ) ∈
L. This is the correspondence between a codeword and its MS polynomial:

X
n−1
x∈C 7−→ Φ(x) = Λn−s X s , Λn−s = ρn−s (x) .
s=0

8
Note that the image of the shift of x is as follows:
!
X X
n−1
Φ xg (αg) = Λn−s (α−1 X)s = Mx (X/α) . (5)
g∈G∗ s=0

One can say that the code C is formally defined by the polynomial
X
n−1
MC (X) = Λn−s X s ,
s=0

where (Λ1 , . . . , Λn ) ∈ L.

Proof: We only need to verify that any polynomial

X
n−1
Λ(X) = Λn−s X s , (Λ1 , . . . , Λn ) ∈ L,
s=0

corresponds to a unique codeword x of C. As Λqs = (Λs )q , Λ(g) ∈ k for all

g ∈ G. So Λ(X) is the MS polynomial of one and only one codeword x ∈ M.
P x is in C because Λs = 0 for s ∈ T . It remains to prove (5). Set
Moreover
0
x = g∈G∗ xg (αg). By definition (see (1)) we have
X X
ρj (x0 ) = xg α j g j = α j xg g j = αj ρj (x) .
g∈G∗ g∈G∗

Therefore
X
n−1 X
n−1 X
n−1
0
Mx0 (X) = s
ρn−s (x ) X = α n−s s
ρn−s (x)X = ρn−s (x)(α−1 X)s ,
s=0 s=0 s=0

completing the proof.


Example 2.4 Let C be the binary cyclic code of length n = 15 with defining
set
T = { 1, 2, 4, 8, 5, 10 } ;
T is the union of two cyclotomic cosets modulo 15 containing respectively 1
and 5. We have here k = GF (2), m = 4 and α is a primitive root of the field
F of order 16. Then
G∗ = F∗ = { 1, α, α2 , ..., α14 }

9
and M = k[{G∗ , ×}]. Recall that the cyclotomic cosets modulo 15 are

{0}, {1, 2, 4, 8}, {3, 6, 12, 9}, {5, 10}, {7, 14, 13, 11} .

With the notation of Theorem 2.3, we have Λi = 0 for any i ∈ T ; L is the

set of the n-tuples

( 0, 0, Λ3 , 0, 0, Λ6 , Λ7 , 0, Λ9 , 0, Λ11 , Λ12 , Λ13 , Λ14 , Λ15 ),

where the Λi satisfy Λ2i mod 15 = Λ2i . So

MC (X) = Λ3 X 12 +Λ23 X 9 +Λ7 X 8 +Λ83 X 6 +Λ87 X 4 +Λ43 X 3 +Λ47 X 2 +Λ27 X +Λ15 .

Recall that Λ15 ∈ {0, 1}. Set  = Λ15 , λ = Λ3 and µ = Λ7 . Each codeword
x of C is uniquely defined by a triple (, λ, µ) ∈ F3 ; its MS polynomial is as
follows:

Mx (X) = λX 12 + λ2 X 9 + µX 8 + λ8 X 6 + µ8 X 4 + λ4 X 3 + µ4 X 2 + µ2 X + 
=  + T r(λ4 X 3 + µ2 X) ,

where T r is the trace function from F to k. Note that the code C contains
2(24 )2 codewords; C has dimension 9. Consider the generating idempotent
of C. That is the codeword y defined by  = λ = µ = 1. We obtain the
symbols of y by computing, for i ∈ [0, 14],

yαi = My (αi ) = 1 + T r(α3i + αi ) . (6)

Note that we have yα2i = yαi , since y is an idempotent. Assuming that F

is defined by the primitive polynomial X 4 + X + 1, we have the following
representation:

1 α α2 α3 α4 α5 α6 α7 α8 α9 α10 α11 α12 α13 α14

0 0 0 1 0 0 1 1 0 1 0 1 1 1 1
0 0 1 0 0 1 1 0 1 0 1 1 1 1 0
0 1 0 0 1 1 0 1 0 1 1 1 1 0 0
1 0 0 0 1 0 0 1 1 0 1 0 1 1 1

It is easy to check that

T r(1) = T r(α) = T r(α5 ) = 0 and T r(α3 ) = T r(α7 ) = 1 ,

10
implying, by using (6),

y1 = yα3 = yα5 = yα7 = 1 and yα = 0 .

So the codeword y is as follows

X
y= (αj ) , J = {0, 3, 6, 9, 12, 5, 10, 7, 11, 13, 14} ,
j∈J

where {αj | j ∈ J} is the support of y; note that wt(y) = 11. We can check
that y is the generating idempotent of C by computing the ρs (y). According
to (1) we obtain

ρs (y) = 1 + T r(α3s + α7s ) + α5s + α10s ,

providing

ρ0 (y) = ρ3 (y) = ρ7 (y) = 1 and ρ1 (y) = ρ5 (y) = 0 .

So we find again the coefficients of the MS polynomial of y — since ρ0 = Λ15

and ρs = Λs for all non zero s.

At the end of this brief background to MS polynomials we want to recall a

well-known theorem, called Blahut’s Theorem in coding theory [29], providing
the link between the weight of a codeword and its MS polynomial.

Theorem 2.5 Let x ∈ M and denote by Λ1 , . . . , Λn the coefficients of the

MS polynomial of x. Then the weight of x is equal to the rank of the circulant
matrix  
Λn Λn−1 · · · Λ1
 Λ1 Λn · · · Λ2 
 
C(x) =  .. .. ..  ,
 . . . 
Λn−1 Λn−2 · · · Λn
P
Proof: Recall that α is an nth root of unity. Let x = g∈G∗ xg (g). By
definition (see (1) and (3)), we have for any i
    
Λi 1 1 ··· 1 x1
 Λi+1   1 α ··· αn−1  α i xα 
    
 ..  =  .. .. ..  .. 
 .   . . .  . 
Λi+n−1 1 α n−1
· · · (α )
n−1 n−1
α (n−1)i
xαn−1

11
Denote by L the n × n matrix above. By expressing each column of C(x) in
the same way, it is easy to see that, up to rearrangement of columns:
 
x1 0 0 ··· 0
 0 xα 0 · · · 0 
 
C(x) = L  .. ..  L .
 . . 
0 0 · · · 0 xαn−1

Hence the rank of C(x) is equal to the number of non zero terms of the
diagonal of the matrix above. That is exactly the weight of x.


Example 2.6 As in Example 2.4, and later in Example 2.12, k = GF (2),

F = GF (16) and α is a primitive root of the field F. We consider here a
binary cyclic code of length 5 (F is the splitting field of X 5 + 1). We choose a
5th root of unity, let β = α3 ; then G∗ = { β i | i ∈ [0, 4] }. The 2-cyclotomic
cosets modulo 5 are
{0 or 5} , {1, 2, 4, 3} .
Consider the code C with defining set T = {0}. Actually C is the [5, 4, 2]
irreducible binary cyclic code whose weight enumerator is obviously
WC (x, y) = x5 + 10x3 y 2 + 5xy 4 .
The MS polynomial of C is
MC (X) = Λ4 X + Λ3 X 2 + Λ2 X 3 + Λ1 X 4 .
Set λ = Λ1 . Any λ ∈ F defines one and only one codeword of C. For instance
the MS polynomial of the generating idempotent y is
X5 + 1
My (X) = X + X 2 + X 3 + X 4 = +1 .
X +1
This polynomial has exactly one root in G∗ , X = 1, implying wt(y) = 4. On
the other hand, consider the circulant matrix C(y) (with notation of Theorem
2.5)  
0 1 1 1 1
 1 0 1 1 1 
 
C(y) =  1 1 0 1 1  ,

 1 1 1 0 1 
1 1 1 1 0

12
It is easy to check that the rank of C(y) is exactly 4. Note that both methods,
especially the second, necessitate a computer, except for such very simple
cases.

Whenever T does not contain 0, we extend the code C by an overall parity

b the extended code of C:
check (see Chapter 1, Section 2). We denote by C
( )
X X X
b = (−
C xg )(0) + xg (g) | xg (g) ∈ C . (7)
g∈G∗ g∈G∗ g∈G∗

By convention the attached symbol is labelled by 0 and the defining set of

b is T ∪ {0}. The extended code is defined with one more equation. An
C
extended codeword is in Cb if and only if it satisfies
X
xg g 0 = 0 and ρs (x) = 0, s ∈ T ,
g∈G

b is now the set G. These conventions will have

where 00 = 1. The support of C
a clear meaning for primitive codes. Conversely we say that C is the code
obtained from Cb by puncturing at the element 0 ∈ G: C is the punctured
b
code of C.
A code of length pm −1 (or pm ), over a field of characteristic p, is generally
said to be primitive. Suppose that n = pm − 1, for some m. Then the codes
C and C b are respectively said to be primitive cyclic and primitive extended
cyclic. In that case G equals F, the splitting field of X n − 1. We can take
as ambient space the algebra of the additive group of F over k. This algebra
will be denoted by A, A = k[{G, +}]. In order to avoid confusion we will
use the notation F instead of G in this context. An element of A is a formal
sum: X
x= xg X g , x g ∈ k .
g∈F

The operations are:

X X X
xg X g + yg X g = (xg + yg )X g ,
g∈F g∈F g∈F

and !
X X X X
xg X g × yg X g = x h yk Xg .
g∈F g∈F g∈F h+k=g

13
Note that X 0 is the multiplicative unit. As previously (for the algebra M)
we consider the k-linear map of A into F:
!
X X
φs xg X g = xg g s (8)
g∈F g∈F

where 0 ≤ s ≤ n and 00 = 1.

Definition 2.7 Let the ambient space be A = k[{F, +}]. Let T be a subset
of [0, n], containing 0 and invariant under multiplication by q (mod n). The
extended cyclic code C b with defining set T is defined as follows:

b = { x ∈ A | φs (x) = 0 , ∀s ∈ T } .
C

The code C b is said to be an extended cyclic code in A. The dual of C b is also

an extended cyclic code. Its defining set is the set of those s such that n − s
is not in T .

When we consider cyclic codes in A, rather than in M, we place these codes in

the general ambient space of primitive codes of length pm (extended cyclic or
not). New operations, and then new tools, appear. The algebra A is actually
a field algebra. Since the multiplication in F involves the shift on codewords,
this point of view is of most interest for cyclic codes. But, conversely, the
field algebra A is the appropriate ambient space for the study of any relation
between a given primitive code and some cyclic codes. We will develop, or
illustrate, these ideas several times in this chapter.

Remark on the functions ρs and φs . The mappings ρs are defined for

0 ≤ s ≤ n , but we noticed that ρn = ρ0 . Definition 2.1 is classical, taking
into account that α0 = αn .
b we must differentiate between
For the definition of the extended code C
0 and n. We have, by convention,
! !
X X X X
φ0 xg X g = xg and φn xg X g = xg .
g∈F g∈F g∈F g∈F∗

By definition, any extended code in A satisfies φ0 (x) = 0, for any codeword

b If it is, it means that α0 is a
x. Generally n is not in the defining set of C.

14
zero of the code C. So the extension of C is not really an extension. One
simply considers C in the ambient space A.
The mapping φn is more interesting for the study of subcodes of C. b In
any code C, b we have the subcode containing the codewords x satisfying
φn (x) = 0. This subcode can be seen as the extension of the cyclic subcode of
C containing α0 as zero. When C is binary, this is the subcode of codewords
of even weight.
Finally we want to recall the definition of three “classical” classes of cyclic
codes: the Generalized Reed-Muller (GRM) codes, the Bose-Chaudhury-
Hocquenghem (BCH) codes, and the Quadratic Residue (QR) codes.
0
Definition 2.8 Let the ambient space be A; n = q m − 1, q = pr and m =
m0 r. For any q and any s ∈ [0, n] , the q-weight of s denoted by wtq (s) is
0 −1
X
m
wtq (s) = si ,
i=0
Pm0 −1 i
where i=0 si q is the q-ary expansion of s. The GRM code of order ν,
0
0 ≤ ν < m (q − 1), is the extended cyclic code over the field k = GF (q) with
defining set

Tν = { s ∈ [0, n] | 0 ≤ wtq (s) < m0 (q − 1) − ν }.

0
This code is of length pm = q m and is denoted by Rq (ν, m) while its punctured
code is denoted by R∗q (ν, m). Binary Reed-Muller codes are usually called
Reed-Muller (RM) codes. More generally, a GRM code defined on a prime
field of order p is called a p-ary RM code.

Definition 2.9 Let the ambient space be M. Let δ be an integer in the

range [1, n − 1] which is the smallest representative of a cyclotomic coset of
q modulo n. The BCH code of designed distance δ is the cyclic code with
defining set [
Tδ = cl(s) ,
s∈[1,δ−1]

where cl(s) is the cyclotomic coset of q modulo n containing s.

When n = pm − 1 and k is the field of order pm , then cl(s) = {s} and
Tδ = [1, δ − 1] is the defining set of the Reed-Solomon (RS) code of length n
and minimum distance δ over k.

15
Definition 2.10 Let the ambient space be M with two further conditions:

1. the length n is an odd prime;

2. the order q of the alphabet field k is a quadratic residue modulo n —

in other words, q is such that q (n−1)/2 ≡ 1 (mod n).

Denote by Q the set of the quadratic residues in the finite field Fn of order
n and by N the set of non residues:

Q = { s2 (mod n) | s ∈ Fn , s 6= 0 } .

Then the codes with defining sets

Q , {0} ∪ Q , N , {0} ∪ N ,

are the quadratic residue codes.

Comments on Section 2.2 There are few papers about the class of
repeated-root cyclic codes. Some special such codes, related to RM codes,
were studied by Berman in [25] (see also [114] where the practical inter-
est is explained). Binary self-dual codes which are cyclic are repeated-root
cyclic codes; some properties are given in [132]. The most important work on
repeated-root cyclic codes is due to Castagnoli et al. [46, 1991]. The au-
thors treat the full class and present general results. Actually they introduce
the theory. They show precisely how some parameters of a repeated-root
cyclic code can be expressed from those of a certain simple-root cyclic code.
Thereby the repeated-root cyclic codes cannot be “better” than simple-root
cyclic codes. However these codes appear more evidently as interesting ob-
jects. Complements are given in [113]. On the other hand, van Lint has
described the binary cyclic codes of length 2n, n odd, by means of the well-
known |u|u+v| construction [140]. The repeated-root cyclic codes, considered
as ideals in a group algebra, have been extensively studied by Zimmermann
[154].
The weight enumerators of GRM codes, BCH codes and QR codes are
not always known, except RS codes, since they are MDS codes, and some
particular codes (such as the Hamming codes). For the RS codes the ques-
tion is to determine their complete weight enumerators. The minimum dis-
tance of GRM codes is known (see comments of Section 3.2 and 3.4.1). This

16
is generally not known for BCH codes and QR codes. The automorphism
groups of GRM codes, QR codes and narrow-sense BCH codes are known
(see Chapter(Huffman) and §3.5). There is no decoding algorithm known for
QR codes.

2.3 Primitive and non primitive cyclic codes

In this section we want to show that any non primitive cyclic code can be
considered as a primitive cyclic code. More precisely it can be viewed in the
ambient space of the primitive cyclic codes. Therefore the extended code can
be viewed as a code of A.
We need to be more precise; in particular we take specific notation (only
for this section). Assume that

N = pm − 1 , N = nν , n < N .

The finite field of order pm is denoted by F and G∗ is the cyclic subgroup of

F of order n generated by β, a primitive nth root of unity. We choose α, a
primitive element of the field F, such that β = αν . Recall that the alphabet
field k is a subfield of F. Note that, in this section, the mappings ρs apply
to the codewords of k[{F∗ , ×}].
Denote by C a non primitive cyclic code. It is a code of length n over k
with defining set T (C). Then the set of zeros of C is the set {β j | j ∈ T (C)},
as well as the set {αjν | j ∈ T (C)}. Consider the cyclic code D of length N
over k with defining set

T (D) = [ 0, N − 1 ] \ { jν | j ∈ [0, n − 1], j 6∈ T (C) } . (9)

Thereby the non-zeros of D are exactly the non-zeros of C. Let x ∈ D and

consider its MS polynomial. By definition and since ρj (x) = 0 for any j in
the defining set of D, we have
X X
Mx (X) = ρN −s (x) X s = ρ(n−t)ν (x) X tν
0≤s≤N −1 0≤t≤n−1
N − s 6∈ T (D) n − t 6∈ T (C)

(see Definition 2.1 and (3)). Now we compute the symbols of x by the inverse
Fourier transform; we obtain

N xαi = Mx (αi ) , i ∈ [0, N − 1] .

17
Set i = ni1 + i2 with 0 ≤ i2 < n. We have
X X
Mx (αi ) = ρ(n−t)ν (x)αtν(ni1 +i2 ) = ρ(n−t)ν (x)β ti2 ,
0≤t≤n−1 0≤t≤n−1
n − t 6∈ T (C) n − t 6∈ T (C)
(10)
since αν = β and β n = 1. Hence
Mx (αni1 +i2 ) = Mx (αi2 ) , i1 ∈ [0, ν − 1] , i2 < n ,
which means xαi = xαi2 for i ≡ i2 modulo n. Now we take (Λ1 , . . . , Λn ) ∈ Fn
such that Λj = ρjν (x). Consider the codeword y in C whose MS polynomial
is X
My (X) = Λn−t X t .
0≤t≤n−1
n − t 6∈ T (C)
According to (10), we have for any i2 ∈ [0, n − 1]:
My (β i2 ) = Mx (αi2 ) ,
which means
yβ i2 = (N/n mod p) xαi2 = (ν mod p) xαi2 , i2 ∈ [0, n − 1] .
On the other hand, any primitive cyclic code whose defining set is of the form
(9), for some T (C) which is invariant under the multiplication by q (mod n),
corresponds to a non primitive cyclic code. We summarize this in the next
proposition (with notation introduced above).
Proposition 2.11 TheP cyclic code D is the “primitive form” of the code
C.
P Any codeword x = g∈F∗ xg (g) of D is obtained from a codeword y =
g∈G∗ yg (g) by repetition of symbols. That is:

X
N −1 X
n−1 X
i
x= xαi (α ) = xαj (αi )
i=0 j=0 i mod n=j

and
X
n−1 X
n−1
j
y= yβ j (β ) = (ν mod p) xαj (β j ) .
j=0 j=0

Therefore wt(x) = ν wt(y).

18
 To conclude we would like to illustrate the link between the irreducible
cyclic codes and some diagonal equations. Suppose that C is an irreducible
cyclic code of length n over k. Then, up to equivalence, it is the code of
M which has as non zeros only β −1 and its conjugates. Let cl(−1) be the
q-cyclotomic coset of −1 modulo n. So
T (C) = [0, n − 1] \ cl(−1) .
(see Chapter 1, Theorem 5.25). Consider the code D, as previously defined
from C. According to (9) we have:
T (D) = [0, N − 1] \ { − ν, − qν , . . . , (−q m−1 ν) mod N } ,
implying that the defining set of the dual of D is the q-cyclotomic coset of ν
modulo N . Let us consider the equations over F of the type
a1 X1ν + . . . + aw Xwν = 0 , (11)
where ai ∈ k and w is an integer greater than two. They are diagonal
equations with a constant exponent over F [102, Chapter Pw 6]. A solution of
(11) is a w-tuple (g1 , . . . , gw ), gi ∈ F, satisfying ν
i=1 ai gi = 0. Suppose
that such a solution S is composed of k pairwise distinct nonzero elements,
say g1 , . . . , gk , and of w − k zeros. Then it corresponds to the codeword
X
k
x= ai (gi ) , x ∈ k[{F∗ , ×}] .
i=1

As the gi satisfy (11), ρν (x) = 0. Hence x is a codeword of D⊥ of weight k.

More generally any codeword of D⊥ of weight less than or equal to w provides
a solution of an equation of type (11).
In the binary case, the connection with the weight enumerator of a given
irreducible cyclic code is more clear and of most interest. Indeed if k is the
field of order two, the knowledge of the solutions of the diagonal equations
X1ν + . . . + Xwν = 0 (12)
over F, for any w, is equivalent to the knowledge of the weight enumerator
of the code C. More precisely the number of the codewords of weight w in
D⊥ is equal to the number of the solutions S of (12) composed of w distinct
non zero elements of F. The weight enumerator of C can be obtained from
the one of D.

19
Example 2.12 Let N = 15 and n = 5; so F = GF (16) and ν = 3. Consider
the binary cyclic code D of length 15 with defining set

T (D) = { s ∈ [0, 15] | s 6∈ {3, 6, 12, 9} }.

That is the binary cyclic code with only one non zero class, α3 (and its
conjugates). So its dimension is 4. The diagonal equations (12) providing
the weight enumerator of D⊥ are

X13 + . . . + Xw3 = 0 , 0 ≤ w ≤ 15 ,

with solutions in GF (16). The MS polynomial of any x ∈ D is

Mx (X) = ρ3 (x)X 12 + ρ6 (x)X 9 + ρ9 (x)X 6 + ρ12 (x)X 3

= λ(X 3 )4 + λ2 (X 3 )3 + λ8 (X 3 )2 + λ4 X 3 ,

where λ = ρ3 (x) is any element in F. We remark that by taking Y = X 3 we

obtain the MS polynomial of some codeword of the code C of Example 2.6.
We have, for 0 ≤ i1 ≤ 2 and 0 ≤ i2 ≤ 4,

Mx (α5i1 +i2 ) = Mx (αi2 ) .

Actually the code D is the primitive form of the code C of Example 2.6.
Indeed the set of non-zeros of D and C are respectively

{3 × 1, 3 × 2, 3 × 4, 3 × 3 } and {1, 2, 4, 3}

and that is exactly definition (9). According to Proposition 2.11, D is a

[15, 4, 6] code whose weight enumerator is

WD (x, y) = x15 + 10x9 y 6 + 5x3 y 12 ,

since each codeword of D is obtained from only one codeword of C by rep-

etition of each symbol three times. The non-zero weights of codewords of
C are 2 and 4 so that they are respectively 6 and 12 for the code D. By
way of illustration, consider the idempotents of these codes. Denote by z the
idempotent of D. We have

X 15 − 1
Mz (X) = X 12 + X 9 + X 6 + X 3 = +1 .
X3 − 1

20
The zeros of Mz (X) are those αk such that α3k = 1. The idempotent of
C was denoted by y; we showed that its MS polynomial is equal to (X 5 −
1)/(X − 1) + 1. In k[G∗ , ×], where G∗ is generated by β, we have

y = (β) + (β 2 ) + (β 3 ) + (β 4 )

providing in k[F∗ , ×]

z = (α) + (αn+1 ) + (α2n+1 ) + (α2 ) + (αn+2 ) + (α2n+2 ) +

(α3 ) + (αn+3 ) + (α2n+3 ) + (α4 ) + (αn+4 ) + (α2n+4 )
= (α) + (α2 ) + (α4 ) + (α8 ) + (α3 ) + (α6 ) +
(α9 ) + (α12 ) + (α7 ) + (α11 ) + (α13 ) + (α14 ) .

Note that the supports of y and z satisfy the property characterizing idem-
potents: they are invariant under the Frobenius mapping.

Comments on Section 2.3 The link between diagonal equations and

irreducible cyclic codes was extensively studied by Wolfmann [148, 149].
Previously, Helleseth [77] and Tietäväinen [136] studied this approach
for finding the covering radius of codes. The problem of solving diagonal
equations of type (11) is related to famous problems such as Waring’s prob-
lem.
It is often efficient to consider an irreducible cyclic code in its primitive
form. An application can be found in [150]. In [55], this point of view is
decisive for the determination of the weight distributions of cosets of 2-error-
correcting binary BCH codes. It is generalized in [56].

2.4 Affine-Invariant codes

In this section, we consider codes of A — i.e. of the field algebra of the
primitive extended codes. Addition and multiplication in the field F involve
natural transformations on codewords including the following affine permu-
tations
X X
σu,v : xg X g 7−→ xg X ug+v , u ∈ F∗ , v ∈ F . (13)
g∈F g∈F

The permutations σu,0 consist of shifting symbols unless the symbol is labelled
by 0. It is exactly the shift on codewords punctured in the position “0”. On

21
the other hand we have clearly

σ1,v (x) = X v x .

Thus a code C, which is invariant under the permutations σu,v , is an extended

cyclic code and an ideal of A. Such a code is called an affine-invariant code
.
We will develop a combinatorial approach to affine-invariant codes, by
defining the poset of affine-invariant codes. Each affine-invariant code can
be identified with one and only one antichain of the poset (S, ), S = [0, n].
This leads to a classification, which is purely combinatorial. But it is most
surprising that a given antichain contains much information about the code
that it defines. This will provide tools useful in applications. In particular,
with this point of view, the connection with the general representation of
the ideals of A is established. For instance, the principal ideals, which are
extended cyclic codes, are easily characterized. Finally a result on maximal
antichains, due to Griggs, can be applied.
By our approach we complete the algebraic study of Assmus and Key
(Chapter XXX Section 4). We do not give the complete proofs of results
because our aim is mainly to suggest another context or other extensions.
Moreover some of them can be found in Chapter(Assmus-Key). The main
references are [51] and [52]. The results (and terminology) on antichains are
those of Griggs [73].

2.4.1 The poset of affine-invariant codes

Affine-invariant codes were characterized by Kasami et al. in [87]. The
authors showed that an extended cyclic code is affine-invariant if and only
if its defining set satisfies a certain combinatorial property. We will present
this result (Theorem 2.14) in terms of a partial order.

Definition
Pm−1 2.13 Let S = [0, pm − 1]. The p-ary expansion of s ∈ S is
i=0 si p , si ∈ [0, p − 1]. We denote by  the partial order relation on S
i

defined as follows:

∀ s, t ∈ S : st ⇐⇒ si ≤ ti , i ∈ [0, m − 1]

(s ≺ t means s  t and s 6= t).

Then we can define the poset (S, ) . When s  t , s is said to be a

22
descendant of t and t to be an ascendant of s. We can define a maximal
(resp. minimal) element of a subset of S, with respect to . Two elements,
s and t, are not related when they are distinct and are such that s 6≺ t and
t 6≺ s. An antichain of (S, ) is a set of non-related elements of S. In the
usual terminology, (S, ) is said to be a product of chains of size p.

Theorem 2.14 Let us define the map

[
∆ : T ⊂S 7−→ ∆(T ) = {s ∈ S, s  t} . (14)
t∈T

Let C be an extended cyclic code, with defining set T . Then C is affine-

invariant if and only if ∆(T ) = T .

Let T ⊂ S . The border of T is the antichain I of (S, ) consisting of the

minimal elements of the set S \ T . It is easy to check the following:

I = { s ∈ S \ T | ∆(s) \ {s} ⊂ T } (15)

where ∆(s) = ∆({s}). For simplification we will often say the border of the
code C, with defining set T , instead of the border of T . Many extended cyclic
codes have the same border. However one and only one affine-invariant code
corresponds to a given antichain, providing the classification of the affine-
invariant codes via antichains of (S, ).

Theorem 2.15 There is a one-to-one correspondance between antichains of

(S, ) and affine-invariant codes of length pm . Each antichain is the border
of one and only one affine-invariant code.

Proof: Let I be an antichain of (S, ) and define the following subset of S:

[ \
T =S \ {s∈S |f s}= { t ∈ S | f 6 t } .
f ∈I f ∈I

It is clear that the two definitions of T above are equivalent. By definition

∆(T ) = T and I is the border of T . So we can define the affine-invariant
code C with defining set T and border I.
Suppose now that a subset T 0 of S, such that ∆(T 0 ) = T 0 , also has border
I. It is impossible to have s ∈ T 0 and f  s, for some f ∈ I, since I is

23
the border of T 0 . So T 0 is included in T . If there exists an s ∈ T \ T 0 , then
T contains any descendant of s. In particular T contains a descendant of s
which is in the border of T 0 , a contradiction. Hence T 0 = T .

When the defining set of any cyclic code is precisely described, it is easy
to check if this code is affine-invariant or not. For instance, GRM codes and
extended narrow-sense BCH codes are obviously affine-invariant. It is more
difficult to determine the border of any affine-invariant code; generally one
has to make do with numerical results, by using a computer. However, in
some cases, it is possible to prove exactly what the border is. We present
below two results: the borders of p-ary RM codes and the borders of extended
RS codes. We give the proof of the first one; the proof of the second one,
which is more technical, can be found in [52]. Note that the RM codes have,
as borders, maximal antichains while the border of any extended RS code of
length pm cannot have more than m elements.

Proposition 2.16 The border of the p-ary RM code of length pm and order
ν, denoted by Rp (ν, m) with 0 ≤ ν < m(p − 1), is

Sµ = { t ∈ S | wtp (t) = µ } where µ = m(p − 1) − ν .

Such an antichain Sµ is said to be a maximal antichain of constant rank.

Proof: GRM codes are defined in Definition 2.8. In the terminology of partial
order, the p-weight of any s ∈ S is said to be the rank of s. Two distinct
elements with the same p-weight are not related, with respect to . So a set
of elements of the same p-weight is an antichain, which is called an antichain
of constant rank [73]. An antichain is said to be maximal if it is not included
in a bigger antichain. Clearly, the antichain Sµ is maximal.
Recall that wtp (s) is the integer sum of the symbols of the p-ary expansion
of s. The defining set T of Rp (ν, m) is the set of those s ∈ S satisfying
0 ≤ wtp (s) < µ. Obviously, s  t implies wtp (s) ≤ wtp (t).
Let t ∈ S such that wtp (t) = µ. Any descendant s of t is in T , except
t itself. So t is in the border of T . Conversely if a given t satisfies this
last property, it cannot be such that wtp (t) > µ, because it cannot have a
descendant whose p-weight is µ. So the border of T is exactly Sµ , completing
the proof.


24
Proposition 2.17 Let C(d) be the extended RS code of length pm and de-
signed distance d. It is a code over the field of order pm and its defining set
is the set of elements in the interval [0, d − 1] (see Definition 2.9).
Let (d0 , ..., dm−1 ) be the p-ary expansion of d and denote by k0 the small-
est k such that dk 6= 0. Let us define d(m−1) = (dm−1 + 1)pm−1 and for any
k, 0 ≤ k < m − 1,
X
m−1
(k) k
d = (dk + 1)p + d i pi .
i=k+1

Then the border of C(d) is

I(d) = { d } ∪ { d(k) | k0 < k ≤ m − 1 and dk < p − 1 } .

Note that the minimum distance of C(d) is d+1, since the minimum distance
of the RS code is exactly d.

Example 2.18 Denote by C the extension of the RS code with parameters

[127, 102, 26]. The defining set of C is [0, 25]; the designed distance is d = 26.
The minimum distance of C is 27 (see later Property 2.20). With the notation
of Proposition 2.17, we have k0 = 1 and the border of C is

I(d) = { d, d(2) , d(5) , d(6) } .

where

d = (0, 1, 0, 1, 1, 0, 0) = 26
(2)
d = (0, 0, 1, 1, 1, 0, 0) = 28
(5)
d = (0, 0, 0, 0, 0, 1, 0) = 32
(6)
d = (0, 0, 0, 0, 0, 0, 1) = 64 .

We pointed out that the affine-invariant codes of length pm can be classi-

fied, by considering the antichains of (S, ). There are special classes among
these antichains as well as special classes of affine-invariant codes. In other
words, and it is quite surprising, many properties of a given affine-invariant
code can be deduced from its border. One aspect will be developed later in
the description of “cyclic ideals” of A. We now give some basic properties
and two examples for illustration. The proofs, which are generally simple,
can be found in [52], [21] or [54]. Recall that n = pm − 1 and S = [0, n].

25
Property 2.19 Let I be an antichain of (S, ). Denote by T the subset of
S such that ∆(T ) = T and whose border is I. Let u divide m (u may be 1
or m). Then pu I = I if and only if pu T = T (modulo n).
Actually this means that the class of antichains satisfying pu I = I corre-
sponds to the class of affine-invariant codes over k, where k is the finite field
of order pu .

Property 2.20 Let C be an affine-invariant code with defining set T and

border I. Let C ∗ be the cyclic code whose extended code is C. The cardinal-
ity of the largest interval contained in T is called the BCH bound of C. Let
δ be the smallest element of I. Then [0, δ − 1] ⊂ T and δ is the BCH bound
of C. This property provides a lower bound for the minimum distance of C.
Indeed the minimum distance of C ∗ is lower-bounded by δ, since [1, δ − 1] is
contained in the defining set of C ∗ . Since C is affine-invariant, its minimum
distance is lower-bounded by δ + 1. Note that the BCH bound of C ∗ could
be δ + 1, but no more.

Property 2.21 Let C be an affine-invariant code with defining set T and

border I. The dual code C ⊥ is also affine-invariant. Denote by I ⊥ its border
and by T ⊥ its defining set. Let us define the maximal set M of T (or of C)
as the set of maximal elements of T , with respect to .
Obviously M is an antichain. As well as the border, the maximal set of
T uniquely defines the affine-invariant code C. Moreover M = n − I ⊥ and,
conversely, I = n − M ⊥ .

Property 2.22 This property is an application of Property 2.21; we keep

the same notation. The code C is self-orthogonal, i.e. C ⊂ C ⊥ , if and only
if its border satisfies

for all s in I and for all t in I then t 6∈ ∆(n − s) . (16)

In other words the class of antichains of (S, ) satisfying (16) corresponds

to the class of affine-invariant self-orthogonal codes of length pm .
It is well-known that a ternary code is 3-divisible (i.e. any codeword has
a weight divisible by 3) when it is self-orthogonal. Hence, when p = 3, an
antichain I which satisfies (16) and 3I = I (modulo n) defines one and only
one 3-divisible ternary affine-invariant code.

26
Example 2.23 Consider the extended BCH code of length 16 with designed
distance 5, say C. First suppose that C is binary. The defining set is

T = { 0, 1, 2, 4, 8, 3, 6, 9, 12 }.

By writing the 2-ary expansions of these elements we obtain

 
 (0 0 0 0) 
T = (1 0 0 0) (0 1 0 0) (0 0 1 0) (0 0 0 1)
 
(1 1 0 0) (0 1 1 0) (1 0 0 1) (0 0 1 1)
It is easy to check that the border I is exactly the 2-cyclotomic coset of 5:

I = { 5 = (1 0 1 0), 10 = (0 1 0 1) } .

Suppose now that C is a code over GF (4). The defining set is T 0 = { 0, 1, 4, 2, 8, 3, 12 }

and the border is obviously I 0 = { 5, 6, 9, 10 }. Note that 2I = I and
2I 0 6= I 0 , whereas 4I = I and 4I 0 = I 0 (modulo 15). For both codes, the
smallest element of the border is 5, the designed distance. That illustrates
Properties 2.19 and 2.20.

Example 2.24 Let p = 3 and m = 3; so S = [0, 26]. Consider the 3-

cyclotomic coset modulo 26 containing 7. It is the antichain

I = { 7, 21, 11 } = { (1 2 0), (0 1 2), (2 0 1) } .

Hence we have

n − I = { 19, 5, 15 } = { (1 0 2), (2 1 0), (0 2 1) } .

It is easy to check that I satisfies (16): there is no t ∈ I which is a descendant

of some u ∈ n − I. Therefore the affine-invariant code C, whose border is I,
is self-orthogonal. Its BCH bound is 7, implying that its minimum distance
is at least 8. It is at least 9, since C is 3-divisible (see Property 2.22).
The defining set of C is the set of s such that t 6 s, for all t ∈ I. That
is:  
 (0 0 0) (1 0 0) (2 0 0) (0 1 0) (1 1 0) 
T = (2 1 0) (0 2 0) (0 0 1) (1 0 1) (0 1 1)
 
(1 1 1) (0 2 1) (0 0 2) (1 0 2)
One deduces that the maximal set of C is the antichain

M = { 5, 15, 19, 13 } = { (2 1 0), (0 2 1), (1 0 2), (1 1 1) } .

27
The maximal set of the dual of C is M ⊥ = n − I. It is clear that M ⊥ ⊂ T ,
implying T ⊥ ⊂ T . This again shows that C is self-orthogonal. The border
of the dual of C is the antichain

I ⊥ = n − M = { (0 1 2), (2 0 1), (1 2 0), (1 1 1) } .

2.4.2 Affine-invariant codes as ideals of A

Recall that the ambient space is A = k[{F, +}] where k is any subfield of
the field F of order pm . Note that p-ary codes can be defined in this ambient
space – or more generally pe -ary codes, pe dividing the order of k. In other
words a p-ary code is a code which has a generator matrix with coefficients
in GF (p).
Let x be any element of A. The pth power of x, where p is the characteristic
of A, is as follows:
!p ! !p
X X X X
xp = xg X g = xpg X pg = xpg X 0 = xg X 0 .
g∈F g∈F g∈F g∈F
P P
Thus x is either invertible, when g∈F xg 6= 0, or nilpotent, when g∈F xg =
0. The radical of the algebra A is the set of nilpotent elements of A. It is
clearly an ideal of A, the unique maximal ideal of A. We will denote it by
P; the rth power of the ideal P will be denoted by P r . Recall that powers
of the radical of A are the p-ary Reed-Muller codes:

P r = Rp (m(p − 1) − r, m) , 1 ≤ r ≤ m(p − 1) . (17)

The proof of this important property, as well as an extensive study on the

ideals P r , can be found in the chapter(Assmus-Key) (Section 4). Our no-
tation is slightly different; note A is used instead of R and P instead of
M.
Any element (or any subset) of A has a “position” in the decreasing
sequence provided by ideals P r . This is a new parameter we will call the
depth: x ∈ A has depth r if and only if x ∈ P r \ P r+1 . Similarly the depth
of any ideal U of A is r if and only if U is contained in P r and not in P r+1 .
Our purpose here is to describe the affine-invariant codes by a set of
generators. Any ideal of A is a sum of principal ideals. For any element x
of A, we will denote by (x) the principal ideal generated by x. The next
definition and Theorem 2.26 were introduced by Laubie in [97].

28
Definition 2.25 Let U be an ideal of A and let V be a subset { u1 , . . . , u` }
of U . The set V is said to be a generator system of U if

U = (u1 ) + . . . + (u` ) .

Moreover V is said to be minimal when the cardinality k of any generator

system of U satisfies ` ≤ k. In this case we will say that ` is the size of the
ideal U .

Theorem 2.26 Let U be an ideal of A. For any x ∈ U , denote by x the

image of x in the quotient vector-space U/PU . Then the following statements
are equivalent:
(i) { u1 , . . . , u` } is a minimal generator system of U .

(ii) { u1 , . . . , u` } is a basis of U/PU .

Note that PU is the ideal generated by the products xy, x ∈ P and y ∈ U .

The main consequence of this theorem is that any generator system of any
ideal U of A contains a minimal generator system. More precisely, one has
a method for finding the size of any ideal.
Principal ideals are simply the ideals of size 1. In the general case it is
not so easy to determine the size. However, for affine-invariant codes, the
size is deduced from the border.

Theorem 2.27 Let U be an affine-invariant code with defining set T and

border I. Let θ be the cardinality of I. Then θ is the size of the ideal U .

Sketch of proof: The complete proof is given in [52]. First consider the ideal
PU . As P and U are affine-invariant, PU is affine-invariant. It is sufficient
to see that for x ∈ P and y ∈ U

σu,0 (xy) = σu,0 (x)σu,0 (y) .

Let T be the defining set of PU . Then we have the following property:

T =T ∪I .

Then the dimension of U is equal to the dimension of PU plus θ. It remains

to find θ elements in U , linearly independant and providing a basis of U/PU .

29
 We will indicate how this basis can be constructed. Let U ∗ be the cyclic
code whose extension is U . We consider the usual generator matrix of U ∗ ,
whose rows are the generator polynomial and their shifts (see Chapter 1,
Theorem 5.2.). By extending each row of this matrix, we obtain a basis of
U . Let x be the first extended row — i.e. the extension of the generator
polynomial of the cyclic code U ∗ . The extension of the ith row is the image
of x by the affine-permutation σαi ,0 . Then the set

{ x, σα,0 (x), σα2 ,0 (x), . . . , σαθ−1 ,0 (x) }

is a minimal generator system of U .


An immediate consequence of this theorem is the characterization of
affine-invariant codes which are principal ideals of A — i.e. affine-invariant
codes of size 1.

Corollary 2.28 Let q be the order of the alphabet field k.

An affine-invariant code is a principal ideal if and only if its border has
only one element. More precisely, the border contains only one element δ,
satisfying qδ ≡ δ modulo n.

Example 2.29 As an example, the class of extended RS codes which are

principal ideals is easily deduced from Proposition 2.17. Indeed such a code
C(d) must have as border the set {d}, where d is its designed distance. So,
in Proposition 2.17, d must be such that the set

{ d(k) | k0 < k ≤ m − 1 and dk < p − 1 }

is empty. It is equivalent to say that d has the following form

X
m−1
k0
d = dk0 p + (p − 1)pk , dk0 ∈ [1, p − 1] , k0 ∈ [0, m − 2] . (18)
k=k0 +1

By convention, d = dk0 pk0 when k0 = m − 1. There are m(p − 1) principal

extended RS codes, one and only one for each depth.
For instance, consider the RS code with parameters [2m − 1, 2m−1 , 2m−1 ]
over GF (2m ). Then the extended code, C(d) with d = 2m−1 , is such that d
satisfies (18). So C(d) is a principal ideal. The code C(d) has parameters
[2m , 2m−1 , 2m−1 + 1]. Its defining set is [0, 2m−1 − 1] and its maximal set is

30
 d border d border
1∗ cl(1) 23∗ cl(23) ∪ cl(27) ∪ cl(29) ∪ cl(43)
3∗ cl(3) ∪ cl(5) ∪ cl(9) 27∗ cl(27) ∪ cl(29) ∪ cl(43)
5∗ cl(5) ∪ cl(9) 29∗ cl(29) ∪ cl(43)
7 cl(7) ∪ cl(9) 31 cl(31) ∪ cl(43)
11∗ cl(11) ∪ cl(13) ∪ cl(19) ∪ cl(21) 43∗ cl(43)
13∗ cl(13) ∪ cl(19) ∪ (21) 47∗ cl(47) ∪ cl(55)
15 cl(15) ∪ cl(19) ∪ cl(21) 55∗ cl(55)
19∗ cl(19) ∪ cl(21) 63∗ cl(63)
21 cl(21) ∪ cl(27)

Table 1: Borders of the extended binary BCH codes of length 128; d is

the designed distance of the BCH code; cl(i) denotes the 2-cyclotomic coset
containing i; the asterisk indicates that the border is an antichain of constant
rank.

simply {2m−1 − 1}. From Property 2.21, the border of the dual code also
contains only one element, which is

(2m − 1) − (2m−1 − 1) = 2m−1 .

The code C(d) and its dual have the same border, implying that C(d) is self-
dual. The binary image of such self-dual codes, with short lengths, appear
in [120] and [121] for a new construction of the binary Golay code and of an
extremal self-dual code of length 64.

On the other hand the results of Griggs on maximal antichains can be

applied here to the determination of affine-invariant codes of maximal size.
These codes are among the p-ary RM codes.

Theorem 2.30 Let U be an affine-invariant code and denote by t(U ) the

size of U . Let Sj , 1 ≤ j ≤ m(p − 1), be the maximal antichain of constant
rank which is the border of P j . Denote by |Sj | the cardinality of Sj . Let λ
be the median p-weight in S = [0, pm − 1]:
 
m(p − 1)
λ=
2
Then t(U ) ≤ |Sλ |. Moreover if t(U ) = |Sλ | then U is a p-ary RM code. That
is:

31
 • if m(p − 1) is even then U = P λ ;

• if m(p − 1) is odd then U is either P λ or P λ+1 .

Note that bac denotes the integer part of some real number a.

Proof: It was proved by Griggs in [73] that the maximal size for an antichain
of (S, ) is exactly the size of Sλ . Moreover if m(p − 1) is even, Sλ is the
unique antichain of this size. If m(p − 1) is odd then we have p = 2, m odd,
and λ = (m − 1)/2; the size of Sλ is exactly the size of Sλ+1 since these sizes
are respectively
   
m m
and .
(m − 1)/2 (m + 1)/2

The antichains Sλ and Sλ+1 uniquely define the affine-invariant codes P λ and
P λ+1 . Note that P λ+1 is the self-dual doubly-even RM code.


Let U be an affine-invariant code with border I. We have proved that

the size of U is the cardinality of I. On the other hand, the depth of U is
easily obtained. It is
min { wtp (s) | s ∈ I } ,
because if there is an s ∈ I which has p-weight µ then U cannot be contained
in P µ+1 – i.e. the defining set of U does not contain the defining set of P µ+1
(see Proposition 2.16).
If all elements in I have the same p-weight, then I is an antichain of
constant rank. This is the case for principal ideals and for p-ary Reed-Muller
codes. The extended RS codes defined from an antichain of constant rank
can be easily obtained from Proposition 2.17 (see another proof in [50]).
Moreover several extended BCH codes have this property. As an example we
give in Table 1 the borders of the extended BCH codes of length 128. The
class of extended BCH codes which are principal is described in [53]. It is
proved that the true minimum distance of these BCH codes is exactly the
designed distance. It is important to notice that, by studying a special class
of ideals, some results on parameters of some BCH codes are then obtained.
When the alphabet field is a prime field, all principal affine-invariant codes
are extended BCH codes. To conclude we give an example over the field of
order 5.

32
Example 2.31 Consider BCH codes of length 53 − 1 over GF (5). Denote
by B ∗ (d) such a code with designed distance d. Let B(d) be the extended
code. The codes B(d), which are principal ideals, are defined from antichains
{d} such that 5d = d modulo 124. Then the 5-ary expansion of d must have
the following form: d = δ(1 + 5 + 52 ), δ ∈ [1, 4].
Let C be any affine-invariant code with border {d}, where d has the form
above. Let T be the defining set of C. Then t ∈ T if and only if t is not an
ascendant of d, with respect to . That is
T = { t | t 6= d and d 6≺ t } .
Since the 5-ary expansion of d is (δ, δ, δ), the condition t ∈ T means that
there is a representative of the 5-cyclotomic coset of t which is smaller than
d. Thus T is the defining set of the extension of the BCH code B(d) — i.e.
C = B(d).
Then the four affine-invariant codes, which are principal, are extended
BCH codes B(d) with d ∈ {31, 62, 93, 124} (if d = 124 the code is trivial).
The dimensions of these codes are respectively (5 − δ)3 , δ ∈ [1, 4]. The
minimum distance of B ∗ (d) is d and the minimum distance of B(d) is d + 1
(see [53, Theorem 2]).

Comments on Section 2.4 At the end of this section, we indicated

more properties of affine-invariant codes which are properties of antichains.
There are others examples: it was proved in [21] that the automorphism
group of an affine-invariant code can be determined from the knowledge of
its border and of its maximal set only. Another example is given in [54], where
the antichains defining self-dual affine-invariant codes are studied (only for
codes over GF (2r )). The affine-invariant codes whose border is an antichain
of constant rank appear as a special class. However, except when the size is
1, no new result (on weights, dimension, ...) are derived.
Affine-invariant codes are of most interest when the combinatorial prop-
erties of the defining sets of cyclic codes are considered. There is a natural
question: is it possible, maybe with another partial order, to define other spe-
cial classes? We have in mind the work providing bounds on the minimum
distance (see Chapter 1, Section 6). On the other hand, is the development
similar when repeated-root cyclic codes, constructed from affine-invariant
codes, are considered?
To conclude we want to mention the role of the multiplication of the
algebra A in the study of primitive codes. For instance, Theorem 2.26 can

33
be applied because it is possible to determine the defining set of the code
PU . More generally, one can characterize any code U V where U and V are
affine-invariant codes. This is because the value φs (xy), for some s, can be
calculated from φs (x) and φs (y) (see in Chapter(Assmus-Key), Section 4.3.).

3 On parameters of cyclic codes.

This section deals with famous open problems. For instance it is well-known
that the minimum distance of a given cyclic code is generally not known.
A fortiori weight enumerators of cyclic codes are generally not known. The
study of weight enumerators, complete or not, is crucial in coding theory.
A lot of open problems arise from the difficulty of obtaining results on the
number or on the form of a set of codewords of a given weight.
The main part of this section is devoted to the question of the form
of codewords. We develop connections with two algebraic problems: the
solvability of some systems of algebraic equations and the existence of certain
kinds of polynomials on finite fields (Section 3.1 and 3.2). Above all, we want
to emphasize the significant role of tools derived from symbolic calculus, as
has appeared in recent works. We want also to point out that several classical
problems of the theory of finite fields are involved.
In Sections 3.3 and 3.4, our main purpose is to illustrate the hardness of
any question on weight enumerators by discussing simple specific problems.
We have chosen, at first, two well-known hard open problems: the minimum
distance of binary narrow-sense BCH codes and the weight enumerators of
binary RM codes.
We later treat the weight enumerators of cyclic codes with few zeros, es-
pecially of binary cyclic codes with two zeros which appear to be the simplest
cyclic codes involved in several applications (see an example in Section 4.1).
The determination of the weight enumerator of such a code remains an open
problem except when the code is optimal in a certain sense. Our aim is to
recall and explain the main tools which were used by Kasami for proving
the unicity of the weight enumerator of these optimal codes. The work of
Kasami, based on the MacWilliams transform and the Pless identities,
is still fundamental for any approach with a view toward classifying cyclic
codes with few zeros.
Section 3.4.3 is a short paragraph devoted to irreducible cyclic codes –

34
i.e. the duals of the cyclic codes with one zero. Note that to say “j zeros” for
any q-ary cyclic code means that the defining set of this code is the union of
exactly j q-cyclotomic cosets.
Section 3 is completed by short comments on the automorphism group of
cyclic codes and on the question of their asymptotic behaviour.

3.1 Codewords and Newton identities

In this section we introduce the Newton identities, restricting ourself to the
context of cyclic codes – however the reader can easily see that they can be
defined in a more general context. By using Newton identities, one can put
in a concrete form the definition of words of a given code, whose weights are
less than or equal to a fixed value. Our purpose is to explain (and we will
do that as one goes along) why this form is “concrete” and how it can be
exploited. We wish to show that Newton identities are a tool of great interest
for describing a set of codewords, particularly for codewords of cyclic codes.
This section is based on the recent work of Augot [5][6].
Taking any codeword c, say (c1 , . . . , cn ), its support is the set

supp(c) = { i | ci 6= 0 }.

We consider here codewords of length n whose supports are contained in a

finite field F, with respect to the ambient space M = k[{G∗ , ×}] ( see §2.2);
recall that G∗ is the subgroup of order n of the multiplicative group of the
splitting field F of X n − 1.
We can then study, as well as codewords, subsets of F and polynomials
in the ring F[X]. Recall that such a polynomial is said to split in F when it
can be written as a product of linear factors in F[X].
P
Definition 3.1 Let x = g∈G∗ xg (g) be a codeword in M of weight w. The
support of x is said to be its set of locators. That is

supp(x) = { g1 , . . . , gw } = { g ∈ G∗ | xg 6= 0 } .

The locator polynomial of x is the polynomial over F defined as follows :

Y
w
σx (X) = (1 − gi X).
i=1

35
The coefficients of σx (X) are the elementary symmetric functions of the lo-
cators gi , 1 ≤ i ≤ w. These are for any j, 1 ≤ j ≤ w,
X
σj = (−1)j gi1 gi2 . . . gij .
1≤i1 <i2 <...<ij ≤w

The power sum functions of the locators of x are:

X
w
Ai = gki , i≥0.
k=1

Note that the locators of a codeword are, by definition, distinct elements.

The definition of the locator polynomial is in conformity with the definition of

the extended codeword (see (7)). Indeed the support of extended codewords
is contained in G = G∗ ∪ {0}. If such a support contains “0”, the polynomial
σx (X) is multiplied by 1 and the power sum functions are also unchanged.
Actually we assume that a codeword and its extension have the same locator
polynomial.
The following properties can be easily proved. Our notation is that of
Definition 3.1; q is the order of the alphabet field and α is an nth root of
unity.
(k)
Proposition 3.2 Let x(k) be the kth-shift of x. Denote by σj the coefficients
(k)
of the locator polynomial of x(k) and by Ai its power sum functions. Then
(k)
(i) Aqi = Aqi , Ai mod n = Ai and Ai = αik Ai .

(ii) The support of x(k) is { αk g1 , . . . , αk gw } and

(k)
σx(k) (X) = σx (αk X) , i.e. σj = αkj σj .

There are two natural questions. What is the form of the locator polynomial
of this or that codeword of a given cyclic code ? Is a given polynomial
a possible locator polynomial ? The use of the Newton identities is the
most natural tool for attacking these questions. We can write simply an
algebraic system of equations over the splitting field F whose solutions could
correspond to the codewords.
Note that a codeword whose symbols are from {0, 1} can be identified
with its support and then with its locator polynomial. Moreover for such a

36
codeword the coefficients of the MS polynomials are exactly the power sums
of the locators. The Newton identities are usually viewed in this context
while those introduced by Theorem 3.5 are said to be the generalized Newton
identities. We begin by giving the usual form which is very useful in practice,
mainly in the binary case, as will appear in the next example.

Theorem 3.3 Let x ∈ M be a codeword of weight w, with locators g1 , . . . , gw .

Then the coefficients of the locator polynomial and the power sum functions
of x are linked by the Newton identities, i.e. with notation of Definition 3.1,
the following identities hold:

A1 + σ1 = 0
A2 + σ1 A1 + 2σ2 = 0
(19)
... ... ... ...
Aw + σ1 Aw−1 + . . . + σw−1 A1 + wσw = 0

and for j > w,

Aj + σ1 Aj−1 + . . . + σw Aj−w = 0 . (20)

Proof: The logarithmic derivative of σx (X), with respect to X, is

σx0 (X) X −gi

w
=
σx (X) i=1
1 − gi X
P∞
But the formal series of (1 − gi X)−1 is gi` X ` . So we have
`=0
!
σx0 (X) X X X X X
w ∞ ∞ w ∞
= −gi ` `
gi X = −gi
`+1 `
X = −A`+1 X ` .
σx (X) i=1 `=0 `=0 i=1 `=0

This yields ! !
X
∞ X
w
σx0 (X) = −A`+1 X ` σi X i
`=0 i=0

giving !
X
w X
∞ X
j σj X j−1
= −A`+1 σi X j .
j=1 j=0 `+i=j

37
By equating coefficients we obtain

X
j−1
j σj = − Aj−i σi , for j ≤ w ,
i=0
X
w
0 = Aj−i σi , for j > w .
i=0

Example 3.4 Let C be the binary cyclic code of length n = 2m − 1 with

defining set T , T = cl(3) ∪ cl(5), where cl(i) is the 2-cyclotomic coset of i
modulo n. By using Newton identities, we will prove the following property:

The code C has minimum distance 3 if and only if 3 divides m.

In this case its set of minimum weight codewords consists of the
word whose locator polynomial is 1 + X + X 3 and of its shifts.
When 3 does not divide m, the code C has minimum distance at
least four.

Out notation is that of Theorem 3.3. Clearly the minimum distance of C is

at least two. Suppose that there is a codeword x of weight two or three in
C. We begin by using the first three Newton identities

A1 + σ1 = 0
A3 + A2 σ1 + A1 σ2 + σ3 = 0 (21)
A5 + A4 σ1 + A3 σ2 + A2 σ3 = 0 .

By shifting we can take A1 = 1 and by definition of C, we have A3 = A5 = 0.

First suppose that there is a codeword of weight two, i.e. σ3 = 0. So by
substitution in (21) we obtain

σ1 = A1 = 1 , 1 + σ2 = 0 and 1 = 0

(note that A2k = A2k ). The third identity produces a contradiction, imply-
ing that codewords of weight 2 do not exist. Suppose now that there is a
codeword of weight three. In the same way, we obtain

σ1 = A1 = 1 , 1 + σ2 + σ3 = 0 and 1 + σ3 = 0 ,

38
implying σ3 = 1 and σ2 = 0. Then the locator polynomial is here unique, up
to a shift; we obtain σx (X) = 1 + X + X 3 . But this polynomial splits in the
field of order 2m if and only if 3 divides m. So if 3 does not divide m, the
minimum distance is at least four.
Suppose now that 3 divides m and compute the Ai which are not already
known. By replacing the σi by their values, we have the following identities
Aj = Aj−1 + Aj−3 , j≥5. (22)
We must prove that they are satisfied. Set I = {3, 5, 6}, the cyclotomic coset
of 3 modulo 7. It is easy to check, by induction on j, that the solution

0 if j mod 7 ∈ I
Aj = (23)
1 otherwise
works when 3 divides m. Note that A0 = 1, since A0 is the sum modulo 2 of
the three non zero symbols of the word. So we have
A0 = A1 = A2 = A4 = 1 and A3 = A5 = A6 = 0 ,
showing that (23) is satisfied for j < 7. Now we have just to see that
Aj = Aj mod 7 ; according to (22) one only have to check the seven equations
Aj=7k+s = A(j−1) mod 7 + A(j−3) mod 7 = As , 0 ≤ s ≤ 6 .
Finally the codewords of weight three of C correspond to the locator poly-
nomials
1 + αk X + (αk X)3 , k ∈ [0, 2m − 2] ,
where α is a primitive root of the field of order 2m .
We are going to state the general form of Newton identities. This form is
clearly more interesting if we want to treat non binary codewords. Indeed it
will turn out that the MS polynomial is as important as the locator polyno-
mial for the description of the solutions of the algebraic system defined from
the Newton identities.
Theorem 3.5 Let x ∈ M be a codeword of weight w. Let Λ1 , . . . , Λn be
the coefficients of the MS polynomial of x and denote by σ0 , . . . , σw the
coefficients of the locator polynomial of x (note that σ0 = 1). Then the σi
and the Λi are linked by the generalized Newton identities – i.e. the following
identities hold:
∀ j ≥ 0 , Λj+w + σ1 Λj+w−1 + . . . + σw Λj = 0 . (24)

39
Proof: First observe that by definition (see (1) and (3)) we have for 0 ≤ ` <
n
X Xw
`
Λ` = xg g = xgi gi`
g∈G∗ i=1

where g1 , . . . , gw are the locators of x. Moreover if ` ≥ n then Λ` = Λ` mod n .

Now from Definition 3.1, σx (1/gi ) = 0 for i = 1, . . . , w. Thus, for any i
and any j ≥ 0, we obtain
X
w
xgi gij+w σx (1/gi ) = xgi gij+w−k σk = 0 ,
k=0

implying
X
w X
w X
w
xgi gij+w−k σk = Λj+w−k σk = 0 .
i=1 k=0 k=0


Consider the ring F[Y ], Y = {Y1 , . . . , Y` }, of polynomials with coefficients
in F and with ` indeterminates. Taking fi ∈ F[Y ], 1 ≤ i ≤ s, we can define
the algebraic system

S = { f1 (Y ) = 0, . . . , fs (Y ) = 0 } .

The set of solutions of S is

V ({f1 , . . . , fs }) = { Y ∈ F` | fi (Y ) = 0, 1 ≤ i ≤ s } .

If I denotes the ideal generated by {f1 , . . . , fs }, we have obviously V (I) =

V ({f1 , . . . , fs }).We are saying that any system S defines an ideal I in F[Y ]
and any solution Y of S satisfies f (Y ) = 0 for all f ∈ I.
We will now consider the ring F[Λ0 , . . . , Λn−1 , σ1 , . . . , σw ] and the alge-
braic system provided from a given cyclic code C by the Newton identities.

Definition 3.6 Let the field F be the splitting field of (X n − 1). Let q = pr ,
where p is the characteristic of the ambient space M. Let C be a cyclic code
in M with defining set T . We define the system SC (w), where the Λi and

40
the σi are the indeterminates, as follows:


 Λw+1 + Λw σ1 + · · · + Λ1 σw = 0,



 Λw+2 + Λw+1 σ1 + · · · + Λ2 σw = 0,


 .
 ..
SC (w) = Λn+w + Λn+w−1 σ1 + · · · + Λn σw = 0, (25)



 ∀i ∈ [0, n − 1], Λqi mod n = Λqi ,



 ∀i ∈ [0, n − 1], Λi+n = Λi ,

 ∀i ∈ T, Λ = 0.
i

The system SC (w) defines an ideal in the ring F[Λ0 , . . . , Λn−1 , σ1 , . . . , σw ].

Theorem 3.7 Let C be a cyclic code in M with defining set T . Then we

have the following properties.

(i) If the code C contains a codeword x of weight less than or equal to w, then
the system SC (w) has at least one solution (Λ0 , . . . , Λn−1 , σ1 , . . . , σw ),
where the Λi are the coefficients of the MS polynomial of x and the σi
are the coefficients of the locator polynomial of x.

(ii) If the system SC (w) has solutions then the corresponding n-tuples (Λ0 , . . . , Λn−1 )
are the coefficients of the MS polynomials of the codewords of C of
weight less than or equal to w.

(iii) Let (Λ0 , . . . , Λn−1 ) ∈ Fn and denote by S the set of w-tuples (σ1 , . . . , σw )
such that (Λ0 , . . . , Λn−1 , σ1 , . . . , σw ) is a solution of SC (w). Assume
that S is not empty and then denote by x the codeword of C whose MS
polynomial has as coefficients the Λi .
Then (σ1 , . . . , σw ) is in SP
if and only if the locator polynomial of x
divides the polynomial 1 + w i
i=1 σi X . Moreover S is an affine space of
dimension w − w0 , where w0 is the weight of x.

Proof: (i) Suppose that C contains a codeword of weight w0 ≤ w. Let

x be this codeword, Λ0 , . . . , Λn−1 the coefficients of its MS polynomial and
σ1 , . . . , σw0 the coefficients of its locator polynomial. From Theorem 3.5 and
from the definition of the MS polynomial, it is clear that SC (w) is satisfied
for these Λi and these σi . Note that this solution is such that σi = 0 for
w0 < i ≤ w, when w0 < w. We can say that the existence of solutions of

41
SC (w) is a necessary condition for the existence of codewords of weight less
than or equal to w in C.
(ii) Suppose that the algebraic system SC (w) has a solution (Λ0 , . . . , Λn−1 , σ1 , . . . , σw )
and consider only the Λi . The equations

Λqi mod n = Λqi , i ∈ [0, n − 1]

imply that Λ0 , . . . , Λn−1 are the coefficients of the MS polynomial of a code-

word x of M (the MS polynomial has values in k). Furthermore x belongs
to C because Λi = 0 for all i ∈ T (see Theorem 2.3). It remains to prove
that w0 ≤ w, where w0 is the weight of x.
We now write that (25) is satisfied for the solution (Λ0 , . . . , Λn−1 , σ1 , . . . , σw ):
 
0
   .. 
Λn Λn−1 ··· Λw+1 · · · Λ1  . 
 
 Λn+1 Λn ··· Λw+2 · · · Λ2   0 
   
 .. .. .. ..   1  = 0.
 . . . .   
 σ1 
Λ2n−1 Λ2n−2 · · · Λw+n · · · Λn  . 
 .. 
σw

Since Λi+n = Λi , the matrix above is exactly the matrix C(x) of Theorem
2.5. From this theorem we know that the rank of this matrix is w0 . Since
C(x) is a circulant matrix, we have
 
0 0 ··· 1
   ..
. ..
. σ1 

Λn Λn−1 · · · Λw+1 · · · Λ1  . 
 Λ1   0 1 . 
.
 Λn · · · Λw+2 · · · Λ2   
 .. ..    = 0.
.   w 
.. .. 1 σ σ
 .  σ σ
1
0 
. .
Λn−1 Λn−2 · · · Λw · · · Λn  1 2 
 . . . 
 .. .. .. 
σw 0 · · · 0

It appears that each column of C(x) is in the vector-space generated by the

last w columns of C(x). Hence the rank of C(x), which is w0 , is less than or
equal to w. Moreover it is clear that, fixing Λ0 , . . . , Λn−1 , the set of solutions
of SC (w) is an affine space of dimension w − w0 .

42
(iii) Let (Λ0 , . . . , Λn−1 ) ∈ Fn and set
  
 (Λ0 , . . . , Λn−1 , σ1 , . . . , σw )
S = (σ1 , . . . , σw ) 
is a solution of SC (w)

Assuming that S is not empty, we have at least one x ∈ C whose MS poly-

nomial has the Λi as coefficients. We have shown in proving (ii), that the
weight w0 of x satisfies w0 ≤ w and that S has dimension w − w0 . Now set
X
w
S 0 = { (σ1 , . . . , σw ) | 1 + σi X i ≡ 0 (mod σx (X)) } ,
i=1

where σx (X) is the locator polynomial of x. Since the degree of σx is w0 ,

S 0 is an affine space of dimension w − w0 too; so it is sufficient to prove
that PS 0 ⊂ S. Take (σ1 , . . . , σw ) ∈ S 0 and denote by σ(X) the polynomial
1+ w i
i=1 σi X . Since σx (X) divides σ(X), any root of σx is a root of σ,
providing
σ(1/gi ) = 0 , i ∈ [1, w0 ]
where g1 , . . . , gw0 are the locators of x. We remark that only this property
is needed in the proof of Theorem 3.5, for proving that the σi and the Λi
satisfy (24). By using the same method, we obtain for any j ≥ 0:

X
w
xgi gij+w σ(1/gi ) = xgi gij+w−k σk = 0 ,
k=0

implying
!
X
w0 X
w X
w X
w0 X
w
xgi gij+w−k σk = xgi gij+w−k σk = Λj+w−k σk = 0 .
i=1 k=0 k=0 i=1 k=0

So SC (w) is satisfied for these σi and for the Λi corresponding to the codeword
x of C; hence (σ1 , . . . , σw ) ∈ S. We have proved that S = S 0 , completing
the proof of (iii). Note that the coefficients of the polynomial σx (X) itself
provide an element of S.

It is important to notice that the existence of solutions of SC (w) insures
the existence of codewords of weight w0 ≤ w in C (see (ii)). Moreover such
a codeword x, which is uniquely defined by its MS polynomial, is such that

43
its locator polynomial generates an affine-subspace S, of dimension w − w0 ,
included in the ideal of solutions of SC (w): each solution of SC (w) provides
an x ∈ C and a subspace S; S “contains” one and only one x ∈ C and several
other solutions of SC (w). Whenever w0 = w, the subspace S contains one
and only one solution of SC (w) corresponding to a unique codeword of C
of weight w. This is always satisfied when the minimum distance of C is
lower-bounded by w. Thus we have an important corollary of Theorem 3.7
concerning the minimum distance of C.
Corollary 3.8 Let C be a cyclic code in M whose minimum distance δ
satisfies δ ≥ w. Then the minimum distance of C is exactly w if and only
if the system SC (w) has at least one solution (Λ0 , . . . , Λn−1 , σ1P
, . . . , σw ). For
n−1
any such solution the codeword x, whose MS polynomial is s=0 Λn−s X s ,
is a codeword of C of weight w. The σi are the coefficients of the locator
polynomial of x. The number of codewords of weight w in C is equal to the
number of solutions of SC (w).
The theory of Gröbner bases (see [16][68]) gives tools for solving the sys-
tems SC (w). The idea is to construct a basis of the ideal generated by the
polynomials occuring in the system. The aim is to obtain a reduced system
with few equations or with equations which induce a description of the set of
solutions. In order to do so, it is necessary to have a computer and a package
for computing Gröbner bases.
This point of view, for finding minimum weight codewords in a code, was
first developed by Augot in his thesis [5]. When it is possible to compute the
Gröbner basis of the system SC (w), the set of solutions is thereby described
by a small set of equations – more precisely, it is almost always the case. The
most important is the possibility to prove that the system has no solutions.
In many situations, it is the only known way for proving that a lower bound
on the minimum distance of a given code is not reached. The system has no
solutions if and only if its Gröbner basis is reduced to {1} – since 1 = 0 is
impossible. Otherwise we not only know the number of solutions but also
some algebraic properties that these solutions satisfy. According to Corollary
3.8, this method is of most efficiency when w is the minimum distance of C.
Several examples are given in [5][6]; one of them is the following.
Example 3.9 The field of order 32 is denoted by F. Let Q be the binary
quadratic residue code of length 31. It is the cyclic code with defining set
T = cl(1) ∪ cl(5) ∪ cl(7) .

44
The minimum distance is known to be 7. The Gröbner basis for SQ (7) was
obtained by using a computer. It is the following set of polynomials
 

 σ7 + Λ11 4 Λ3 29 + Λ11 2 Λ3 26 σ6 + Λ3 2 σ5 + Λ11 Λ3 29 

 
σ4 + Λ11 4 Λ3 28 + Λ11 2 Λ3 25 σ3 + Λ3 σ2 + Λ11 Λ3 28
.

 Λ15 + Λ11 3 Λ3 25 + Λ3 5 σ1 Λ3 31 + 1 

 
Λ11 5 + Λ11 4 Λ3 14 + Λ11 2 Λ3 11 + Λ11 Λ3 25 + Λ3 8

Denote by A a value of (Λ0 , . . . , Λ30 , σ1 , . . . , σ7 ) in F38 ; A is a solution

of SQ (7) if and only if f (A) = 0, for any polynomial f belonging to the
set above. Note that in the Gröbner basis only one indeterminate for each
set {Λi , Λ2i . . . } appears; this is because of the conditions A2i mod 31 = A2i
in SQ (7). Moreover we have also in SQ (7) the equations Λ1 = 0, Λ5 = 0
and Λ7 = 0, (by definition of Q). Finally we have ten expressions with ten
indeterminates, (Λ3 , Λ11 , Λ15 , σ1 , . . . , σ7 ).
Each value in F10 of these indeterminates which is such that the ten
expressions are zero gives us a solution of SQ (7). A solution is here a triple
(a, b, c) ∈ F3 with Λ3 = a, Λ11 = b , Λ15 = c ,
which is available; the values of the σi are deduced. In accordance with
Corollary 3.8, there is a one-to-one correspondance between the solutions of
SQ (7) and the codewords of weight 7 in Q. Moreover, by using the Gröbner
basis, we can say more about the set of minimum weight codewords:
1. There are 31 × 5 = 155 solutions. They correspond to the roots of the
system :
Λ11 5 + Λ11 4 Λ3 14 + Λ11 2 Λ3 11 + Λ11 Λ3 25 + Λ3 8 = 0 , Λ3 31 + 1 = 0 .
(26)
We consider above the two equations which have only Λ3 and Λ11 as
indeterminates.
For each value of (Λ3 , Λ11 ), we deduce the values of Λ15 and of the σi
from the other equations:
Λ15 = Λ11 3 Λ3 25 + Λ3 5 , σ1 = 0, σ2 = Λ11 Λ3 28 , . . .
For any fixed value a ∈ F∗ of Λ3 , we are sure that the first equation of
(26), say
E(Λ11 ) = 0 where E(Λ11 ) = Λ11 5 + Λ11 4 a14 + Λ11 2 a11 + Λ11 a25 + a8 ,

45
 has five solutions in F; indeed each root of E provides a solution which
must be in F, by definition of SQ (7) (see Theorem 3.7, (ii)). It remains
to check that these five solutions are always pairwise distinct. Consider
the derivative of E(Λ11 ), with respect to Λ11 ; it is the polynomial

Λ411 + a25 = (Λ11 + a8×25 )4 = (Λ11 + a14 )4 .

But E(a14 ) = a8 and a cannot be zero, implying that E(Λ11 ) has no

multiple roots.
So there are 155 codewords of weight 7 in Q.

2. The codewords of weight 7 do not belong to any cyclic subcode of Q.

First we have no equation Λi = 0, i = 3, 11, 15, implying that the set of
codewords of weight 7 is not contained in a cyclic subcode. Can such
a codeword be in a cyclic subcode?
One easily proves that Λ3 cannot be equal to 0 and Λ11 too. Indeed
3 = 1 yields Λ3 6= 0. On the other hand, from the first equation of
Λ31
(26), Λ11 = 0 would imply Λ3 = 0, a contradiction. Finally suppose
that Λ15 = 0. Then

Λ15 + Λ11 3 Λ3 25 + Λ3 5 = 0 =⇒ Λ311 = Λ11

3 .

By replacing in the first equation of (26), we obtain

Λ511 + Λ711 Λ33 + Λ511 + Λ711 Λ33 + Λ83 = Λ83 = 0 ,

a contradiction. Thus we can conclude that there is no codeword of

weight 7 in some cyclic subcode.

3. There is no idempotent — i.e. no codeword of weight 7 whose MS

polynomial has binary coefficients. Indeed it is impossible to have
Λ3 = 1 and Λ11 = 1 and we have proved that Λ3 6= 0 and Λ11 6= 0.

It is important to notice that forP each solution (a, b, c) we are sure that
the corresponding polynomial 1 + 7i=2 σi X i is the locator polynomial of a
codeword. It means that this polynomial splits in F and has seven distinct
roots. We point out that by means of the Gröbner basis of SQ (7) one ob-
tains precisely the class of polynomials corresponding to the minimum weight
codewords of Q.

46
 Comments on Section 3.1 Example 3.4 summarizes the efficiency of
Newton identities. On the one hand the identities must be satisfied for a
given weight w and for a given defining set T (i.e. some Ai are equal to
zero). If a contradiction appears in the identities, then there is no codeword
of weight w in the code of defining set T . On the other hand the method can
produce immediately (by hand) the full set of codewords of a given weight
for an infinite class of codes. Of course it is not generally the case. Moreover
the method, which uses the form (19)(20) of the Newton identities, works
only for codewords whose symbols are in {0, 1}. But a lot of information can
be obtained in this way.
In the binary case the usual form allows us to treat any codeword. Note
that the set of minimum weight codewords of binary Reed-Muller codes was
first described by Kasami et al. by means of the Newton identities [90].
There are many recent applications as, for instance, the minimum distance
of some BCH codes [9], codewords of minimum weight of some self-dual
binary codes [54] or covering radius of some BCH codes [61]. The Newton
identities can be used for the description of codewords of a large class of
codes. Recent results are given in [34] concerning cyclic codes over Z4 .
The use of Newton identities for decoding is well-known (see [111, p.
273] and, for instance, [32]). We want also to cite several recent works on
decoding or on decoding up to the minimum distance as, for instance, [60][67]
and [131]. The use of Gröbner bases for decoding is discussed in [59] and an
extensive study by de Boer and Pellikan is in [31].
Unfortunately any method, for decoding or for codeword description,
which consists of computing the Gröbner basis of the system SC (w) is re-
stricted by the high complexity of Buchberger’s algorithm. It is, however,
the best known algorithm at the moment [98].

3.2 Special locator polynomials

This section naturally follows the preceding, concerning the description of
codewords of cyclic codes. The basic idea is still to define tools for finding
solutions in some system of type SC (w). In Section 3.1 we started from the
concept of locator polynomials and next emphasized the significant role of
MS polynomials. Now we come back to the characterization of the locator
polynomials of codewords of a given cyclic code. We give here basic material
and recall that little is known about a question which is connected with the
determination of the splitting field of some class of polynomials.

47
 Idempotents in Rn are studied in Chapter 1, §5. In our ambient space
M = k[{G∗ , ×}] they are the codewords e which satisfy
!2
X X
eg (g) = eg (g) . (27)
g∈G∗ g∈G∗

From the multiplication in M, that is equivalent to

X
e u e v = e g , g ∈ G∗ .
uv=g

Recall that α is a primitive nth root of unity and q is the order of the alphabet
field k. We know from Corollary 5.19 of Chapter 1 that any idempotent has
the following form X X
e= eα s (αi ) (28)
s∈I i∈cl(s)

where I is a system of representatives of the q-cyclotomic cosets modulo n

and cl(s) is the coset of s. When q = 2 any codeword of the form (28) is an
idempotent.

Proposition 3.10 Let x ∈ M. Then x has the form (28) if and only if
its MS polynomial Mx (X) has coefficients in k. If x has the form (28), its
locator polynomial σx (X) has coefficients in k.
When q = 2, i.e. k is the field of order two, x is an idempotent if and
only if it satisfies one of these three following conditions

(i) x has the form (28);

(ii) Mx (X) is a polynomial of k[X];

(iii) σx (X) is a polynomial of k[X].

Proof: Notation is that of Section 2.2. We must prove that x has the form
(28) if and only if

(ρj (x))q = ρj (x) , 0 ≤ j ≤ n . (29)

48
Applying the inverse Fourier transform, x has the form (28) if and only if its
MS polynomial satisfies Mx (g) = Mx (g q ), for all g ∈ G∗ . By definition this
is equivalent to Mx (X q ) = Mx (X) which means
X
n−1 X
n−1
s
ρn−s (x) X = ρn−s (x) X qs mod n
,
s=0 s=0

which is equivalent to ρj (x) = ρqj (x), for all j. As ρqj (x) = (ρj (x))q , this is
exactly (29).
On the other hand the locator polynomial of x is in k[X] if and only if
it is a product of some minimal polynomials on k. That means that the
support of x corresponds to a union of q-cyclotomic cosets modulo n. This
property is satisfied when x has the form (28).
When q = 2, we know that the form (28) characterizes the set of idem-
potents. Since it is a binary codeword, x can be identified to its support. So
σx (X) ∈ k[X] if and only if x has the form (28). We have previously proved
that (i) is equivalent to (ii) for any q, completing the proof.

Example 3.11 The minimal polynomials correspond to the simplest idem-
potents. Consider the following polynomial which is irreducible over GF (2):
Y
4
i
2
σ(X) = 1 + X + X + X + X = 3 5
(1 − β 2 X) .
i=0

Its splitting field is GF (25 ) and, since 31 is prime, any such polynomial is
primitive; σ(X) is the minimal polynomial of β −1 , which is a primitive root
of GF (32).
Now we want to know the smallest binary cyclic code of length 31 con-
i
taining the codeword x whose locators are the β 2 . In other words, we want to
determine the cyclic code where x is the primitive idempotent. We must com-
pute the coefficients Ai of the MS polynomial of x, for i ∈ {1, 3, 5, 7, 11, 15}
– a system of representatives of the 2-cyclotomic cosets cl(i) modulo 31.
Since x is an idempotent, one can obtain this result without computer, by
simply writing the Newton identities (given in Theorem 3.3) and replacing
the values of the coefficients of the locator polynomial: σ1 = 1, σ2 = 1,
σ3 = 1, σ4 = 0 and σ5 = 1. We obtain
A1 = 1 , A3 = 1 , A5 = 0 ,

49
and
Aj = Aj−1 + Aj−2 + Aj−3 + Aj−5 , j ≥ 6 .
Using the recursive formula above, one finds A7 = 1, A11 = 0 and A15 = 0.
So x is the primitive idempotent of the cyclic code C whose defining set is

T = cl(5) ∪ cl(11) ∪ cl(15) .

Moreover the minimum distance of C is 5 and x is a minimum weight code-

word of C. Indeed wt(x) = 5 and 20, 21, 22 and 23 are in T , proving that the
minimum distance is at least 5.

We are going to define the codewords of BCH codes by means of a set of

special polynomials. Furthermore we will notice that some such polynomials
correspond to the idempotents which are minimal weight codewords of some
BCH codes.

Theorem 3.12 Let {g1 , . . . , gw } be a set of locators in the field F of char-

acteristic p. Denote by σ(X) the associated locator polynomial and by Ai ,
i ≥ 0, the power sum functions of these locators. Let δ be a positive integer
less than or equal to w. Then the coefficients σr of σ(X) satisfy

1 ≤ r < δ and r 6≡ 0 (mod p) =⇒ σr = 0

if and only if A1 = A2 = . . . = Aδ−1 = 0.

Proof: This is an immediate application of Theorem 3.3. The first w Newton

identities are:
I1 : A1 + σ1 = 0
I2 : A2 + σ1 A1 + 2σ2 = 0
... ... ...
P
Ir : Ar + r−1 i=1 Ar−i σi + rσr = 0
... ... ... ...
P
Iw : Aw + w−1 i=1 Aw−i σi + wσw = 0 .

Suppose that A1 = A2 = . . . = Aδ−1 = 0. Then for any r < δ, Ir is reduced

to rσr = 0. Hence if p does not divide r then σr must be zero.
Conversely suppose that the condition on the σr is satisfied. Then we can
prove, by induction on r, that Ar = 0 for r < δ:

50
 • From I1 we have A1 = 0.

• Suppose that A1 = A2 = . . . = Ar−1 = 0. Then the identity Ir is

reduced to Ar + rσr = 0, where either r ≡ 0 (mod p) or σr = 0.
Hence Ar = 0.


It is clear that the theorem above is related to the BCH bound. Actually
it gives the “polynomial form” of any codeword of any BCH code of designed
distance δ on k, which has symbols from {0, 1}. The following corollary is
obvious, since the locators of any codeword of the BCH code of designed
distance δ satisfy A1 = · · · = Aδ−1 = 0.

Corollary 3.13 Let the ambient space be M (the characteristic is p). Let
B(δ) be the BCH code of length n and designed distance δ. Consider any
polynomial
X X
w
σ(X) = 1 + r
σr X + σr X r , σr ∈ F, σw 6= 0 , (30)
1<r<δ, p|r r=δ

where F is the splitting field of X n − 1. Then σ(X) is the locator polynomial

of a codeword of weight w of B(δ), whose symbols are from {0, 1}, if and only
if it splits in F and their roots are w distinct nth roots of unity.

Corollary 3.13 gives the form of the locator polynomial of any codeword
of any binary BCH code. More precisely, let us denote by B(δ) a binary
BCH code of length 2m − 1 and designed distance δ. Then B(δ) has true
minimum distance δ if and only if there exists a polynomial

X
(δ−1)/2
σ(X) = 1 + σ2i X 2i + σδ X δ (31)
i=1

which has δ distinct roots in F, the finite field of order 2m . This property
leads to the determination of the order of the splitting field of the polynomials
of the form (31).
Such a polynomial corresponds to an idempotent if and only if its coeffi-
cients are in GF (2). Augot and Sendrier proposed in [10] an algorithm
for computing the extension degree of the splitting field of such idempotent

51
 δ m
3 2, 3
5 4, 5, 6
7 3, 4, 7, 10
9 6, 8, 9, 10, 14, 15, 21
11 5, 6, 8, 11, 21, 28
13 8, 9, 10, 12, 13, 14, 21, 22, 33, 35
15 4, 5, 6, 7, 9, 26, 33, 39
17 8, 9, 10, 12, 14, 15, 17, 21, 35, 39, 44, 52, 55, 65, 66, 77
19 8, 9, 10, 12, 15, 19, 21, 28, 34, 35, 39, 51, 52, 65, 66, 77, 91
21 6, 7, 8, 9, 10, 11, 15, 38, 51, 57, 68, 85
23 6, 8, 10, 11, 14, 15, 21, 23, 35, 51, 52, 57, 65, 68, 76, 85, 95, 117, 119
25 8, 10, 12, 13, 15, 18, 21, 22, 25, 28, 33, 46, 57, 68, 69, 76, 77, 95, 102, 119, 133, 153
27 6, 7, 8, 9, 10, 13, 15, 33, 44, 55, 68, 69, 76, 85, 92, 115, 187
10, 12, 14, 15, 16, 18, 21, 25, 26, 27, 29, 35, 39, 44, 66, 68, 69, 76, 77, 92, 95, 99, 102,
29
114, 115, 153, 161, 171, 187, 209, 221, 715
31 5, 6, 8, 9, 14, 21, 31, 39, 44, 52, 58, 77, 87, 92, 119, 161, 209, 221, 247, 374 , 561
10, 11, 12, 15, 16, 17, 18, 21, 27, 28, 39, 52, 62, 76, 87, 91, 92, 93, 95, 114, 115, 116,
33
133, 138, 145, 171, 175, 207, 247, 322
9, 10, 12, 14, 15, 16, 17, 21, 22, 25, 33, 35, 52, 65, 77, 78, 87, 91, 92, 93, 95, 114, 116,
35
124, 138, 143, 145, 152, 155, 203, 253, 299, 494, 741
8, 10, 12, 14, 15, 18, 19, 21, 27, 33, 34, 37, 44, 51, 52, 55, 65, 77, 78, 92, 93, 115, 116,
37
117, 119, 124, 138, 143, 155, 161, 174, 175, 203, 207, 217, 261, 299, 506
8, 9, 10, 12, 13, 15, 19, 21, 25, 28, 33, 35, 44, 51, 55, 68, 74, 77, 85, 111, 115, 116, 119,
39
124, 138, 145, 174, 186, 187, 217, 319, 322, 391, 406
10, 12, 14, 15, 16, 18, 21, 25, 26, 27, 35, 38, 39, 41, 44, 51, 57, 65, 66, 68, 77, 91, 99,
41 111, 116, 119, 124, 133, 138, 148, 155, 174, 184, 185, 186, 207, 209, 261, 279, 319, 341,
374, 377, 391, 437, 759, 1615, 2431
7, 8, 11, 12, 15, 18, 20, 27, 39, 43, 50, 52, 57, 65, 68, 76, 82, 85, 95, 102, 111, 115, 116,
43 123, 124, 138, 145, 148, 153, 174, 185, 186, 207, 221, 261, 279, 310, 377, 403, 437, 782,
1173
8, 9, 10, 11, 12, 14, 15, 21, 23, 25, 35, 39, 52, 57, 65, 68, 76, 85, 86, 91, 102, 119, 123,
45
124, 129, 133, 145, 148, 155, 164, 174, 186, 205, 217, 222, 247, 259, 403, 442, 493, 754
8, 9, 10, 12, 15, 21, 22, 23, 28, 33, 35, 47, 52, 55, 68, 76, 77, 78, 91, 95, 102, 114, 119,
47 123, 129, 133, 143, 148, 155, 164, 172, 174, 185, 186, 205, 215, 22 1, 222, 287, 325, 407,
425, 434, 493, 494, 518, 527, 551, 741, 806, 1131, 1209, 1885, 3553
10, 12, 14, 15, 16, 18, 21, 25, 27, 33, 35, 44, 46, 49, 52, 55, 65, 68, 69, 76, 78, 85, 94,
95, 102, 114, 117, 119, 129, 141, 143, 145, 148, 153, 164, 171, 172, 174, 186, 187, 203,
49
209, 215, 222, 232, 246, 248, 261, 279, 287, 299, 301, 333, 369, 407, 442, 481, 527, 551,
52
589, 663, 741, 986, 1131, 1209, 1479, 1771, 2387, 3059, 4199

Table 2: Binary BCH codes of length 2m − 1 and designed distance δ whose

true minimum distance is exactly δ (see §3.2, following (31)).
polynomials. In this way they gave the true minimum distance of many BCH
codes of relatively large length and dimension.
These results are presented in Table 2. Recall that extended primitive
BCH codes are affine-invariant. So it is sufficient to find an idempotent either
of weight δ or of weight δ + 1 to ensure that the true minimum distance is δ.
The codes B(δ) listed in Table 2 have this property. For every δ, 3 ≤ δ ≤ 49,
a list of values of m is given. The result is precisely: for any value of m, in
the list, the true minimum distance of the BCH code of length 2m − 1 and
designed distance δ is exactly δ. Note that this property holds for the BCH
codes of length 2km −1, and designed distance δ, for any m in this list and for
any k. This is because the idempotent of weight δ (or δ + 1) corresponds to
a polynomial of the form (31) which splits in GF (2m ) and then in GF (2km ).

On the other hand, there is a “classical” class of lacunary polynomials:

the class of polynomials of the form
k
f (X) = c + γ0 X + γ1 X q + . . . + γk X q (32)

with coefficients in some extension field of k, the field of order q. These

polynomials are usually called affine polynomials as their roots form an affine
space of dimension k over k. When c = 0 the roots form a vector space and
f (X) is said to be a linear polynomial. The reader can refer to [102, pp.
108-120] for basic properties. Since the derivative of f (X) is reduced to γ0
(modulo q), the roots of f (X) have multiplicity one if and only if γ0 6= 0. So
γ0 6= 0 is necessary if we want to consider f (X) as a locator polynomial.
Now we want to give some equivalent representations of affine spaces. As
the zeros of f (X) form an additive structure, our ambient space is now the
algebra A. We consider only primitive codewords, i.e. n = pm − 1, and the
multiplicative group of M will be F∗ (F is the field of order pm ).
Assume that the affine polynomial f (X) splits in F with roots of multi-
plicity one. Then f (X) can be identified to the codeword of A whose support
is the affine space of their roots and whose symbols are from {0, 1}. More
precisely define the codewords of the form
X
x = λX h Xg , λ ∈ k , (33)
g∈Vk

where Vk is a subspace of F of dimension k over k. Such a codeword can

be identified with an affine polynomial whose roots are the elements of the

53
affine space h + Vk , up to scalar multiplication. In the next proposition, we
characterize the locator polynomial of any codewords x of the form (33) (in
the sense of Definition 3.1).
Proposition 3.14 Let the ambient space be A. Let δ = q k − 1, δ < n, and
set
Ik = { q k − q j | j ∈ [0, k − 1] } .
Define the polynomial of degree δ (σδ 6= 0):
X
σ(X) = 1 + σi X i , σi ∈ F .
i∈ Ik

Denote by vi the roots of σ(X) and set gi = vi−1 . Then (i) and (ii) are
equivalent.
(i) σ(X) splits in F with roots of multiplicity one.
(ii) σ(X) is the locator polynomial of the codewords of the form (33) such
that h = 0 and Vk is the set {0, g1 , . . . , gδ }.

Proof: We simply observe that the polynomial

X
k−1
qk −1 qk j
f (X) = X σ(X )=X + γj X q ,
j=0

where γj = σi with i = q k −q j , is a linear polynomial. Clearly, (i) holds if and

only if f (X) has q k distinct roots in F and that means that the set of the roots
of f (X) is the support of a codeword of the form (33) with Qδ Vk = {0, g1 , . . . , gδ }
and h = 0. It is equivalent to say that σ(X) = i=1 (1 − gi X) , where
{0, g1 , . . . , gδ } is a subspace of dimension k of F, i.e. it has exactly property
(ii).

We defined the GRM codes in Section 2.2 and keep the same notation (see
Definition 2.8). Recall that considering GRM codes of length pm − 1 over the
alphabet field of order q, q = pr , the order is in the range [1, m0 (q − 1) − 1]
where m = rm0 ; the GRM code of order ν is denoted by Rq (ν, m). It is
quite easy to prove that the codewords of the form (33), whose weight is q k ,
belong to the set of minimum weight codewords of the GRM code of order ν,
ν = (m0 − k)(q − 1). A proof is given in Chapter(Assmus-Key). It was first
proved by Kasami et al. by using the following property [91, Theorem 9].

54
Theorem 3.15 Let Vk be any subspace of F of dimension k over k. Then
the power sum functions
X
Ai = v i , i ∈ [1, pm − 1] ,
v∈Vk

are zero when the q-weight of i is less than k(q − 1) – i.e. when i is in the
defining set of Rq (ν, m), ν = (m0 − k)(q − 1).
By using this theorem and the usual Newton identities, the authors de-
scribed the set of minimum weight codewords of binary Reed-Muller codes.
We want to show that their result can be expanded by using the generalized
Newton identities. Note that the set of minimum weight codewords of any
GRM code was described in another way (see comments in Section 3.2).
Lemma 3.16 Let δ = q k − 1; Ik is defined in Proposition 3.14. Let x be a
codeword of the punctured GRM code R∗q (ν, m), ν = (m0 − k)(q − 1). Then
the MS polynomial of x is such that ρs (x) = 0 for any 1 ≤ s < δ and
s ∈ [1, δ − 1] , s 6∈ Ik =⇒ ρs+δ (x) = 0
(see (1) for the definition of ρs ).

Proof: Recall that the defining set of R∗q (ν, m) is the set
0
Tν = { s ∈ [0, q m − 1] | wtq (s) < k(q − 1) } .
A codeword x is in R∗q (ν, m) if and only if ρs (x) = 0 for all s ∈ Tν .
P
First observe that δ = k−1i=0 (q − 1)q . Clearly wtq (δ) = k(q − 1) and any
i

s < δ is such that wtq (s) < k(q − 1) – i.e. s is in Tν and then ρs (x) = 0.
Therefore
X
k−1
2δ = 2q − 2 = (q − 2) +
k
(q − 1)q i + q k ,
i=1
providing wtq (2δ) = k(q − 1); note that 2δ, as δ, is not in Tν .
Set t = δ + s with s ∈ [1, δ − 1]. It remains to prove that t is in Tν
whenever s 6∈ Ik . We easily deduce, from the form of the q-ary expansion of
2δ, that any t < 2δ has a q-weight less than or equal to k(q − 1). Suppose
that wtq (t) = k(q − 1). The general form of such a t, δ < t < 2δ, is
X
k−1
t= ti q i + q k ,  ∈ {0, 1} , ti ∈ {q − 2, q − 1} ,
i=0

55
where  = 1 (since t 6= δ) and t0 = q − 1 (since t 6= 2δ). More precisely
wtq (t) = k(q − 1) yields that one and only one tj , j > 0, must be equal to
q − 2 – i.e. t = δ + q k − q j , with j ∈ [1, k − 1].
We have proved that the set of those t, δ ≤ t ≤ 2δ, such that wtq (t) =
k(q − 1) is the set of those t which satisfy: t = δ + s with s ∈ Ik ∪ {0}.
Finally when s ∈ [1, δ − 1] and s 6∈ Ik , we have wtq (δ + s) < k(q − 1)
meaning δ + s ∈ Tν , completing the proof.

0
Lemma 3.17 Denote by C the GRM code R∗q (ν, m) of length n = q m − 1,
ν = (m0 − k)(q − 1). Let δ = q k − 1 and let SC (δ) be the system (25), written
for the codewords of weight δ of C. The defining set is Tν . Then any solution
(Λ1 , . . . , Λn , σ1 , . . . , σδ ) of SC (δ) satisfies the following statements.
(i) Λ1 = Λ2 = . . . = Λδ−1 = 0.
(ii) If s ∈ [1, δ − 1] and s 6∈ Ik , then Λδ+s = 0 and σs = 0.
(iii) If s ∈ Ik , then σs = Λδ+s /Λδ .

Proof: Recall that Ik is the set of the q k − q j , j ∈ [0, k − 1]. Statement

(i) and a part of statement (ii) are immediately deduced from Lemma 3.16.
Indeed it was proved that the defining set of C contains [1, δ − 1] and any
s + δ such that s ∈ [0, δ − 1] and s 6∈ Ik . Now we write the first Newton
identities, taking into account the condition { Λi = 0 , i ∈ [0, δ − 1] }.
I1 : Λδ+1 + Λδ σ1 = 0
I2 : Λδ+2 + Λδ+1 σ1 + Λδ σ2 = 0
. . . . . . .P
..
Is : Λδ+s + si=1 Λδ+s−i σi = 0
... ... ... ... ...
I2δ−1 : Λ2δ−1 + Λ2δ−2 σ1 + . . . + Λδ σδ−1 = 0
There are other Λi which are zero because the full condition is { Λi = 0 , i ∈
Tν }. The proof follows by simply replacing some Λi by zero in the system
above.
We proceed by induction on s. Since we do not treat trivial GRM codes,
it is clear that 1 6∈ Ik . So Λδ+1 = 0 and I1 gives σ1 = 0. Now we assume
the following hypothesis, say Hr : for r ∈ [0, s − 1], if r 6∈ Ik then σr = 0 else
σr = Λδ+r /Λδ . Consider every term Λδ+s−i σi , i < s, of the identity Is . We
have:

56
 • If i 6∈ Ik then σi = 0 from Hi .

• If i ∈ Ik then i = q k − q j , j in the range [0, k − 1]. As i < s < q k − 1,

s − i < q j − 1 with q j − 1 < q k−1 . Hence s − i 6∈ Ik implying Λδ+s−i = 0.

So the identity Is is in fact Λδ+s + Λδ σs = 0. If s 6∈ Ik then Λδ+s = 0 and

σs = 0, otherwise σs = Λδ+s /Λδ . Note that Λδ = 0 is impossible because this
would imply that all the Λi are zero (one can also say that the BCH bound
would be strictly greater than δ).


Theorem 3.18 The minimum weight codewords of the punctured GRM code
R∗q (ν, m), ν = (m0 − k)(q − 1), are the codewords of weight δ = q k − 1 whose
locators are the nonzero elements of some subspace Vk of F of dimension k
and whose symbols are from {0, 1}, up to scalar multiplication. These are in
the algebra k[{F∗ , ×}] precisely the codewords
X
x=λ (g) , λ ∈ k . (34)
g∈ Vk∗

The locator polynomial is

X ρδ+s (x) s
σx (X) = 1 + X . (35)
ρδ (x)
s=q −q k j

j ∈ [0, k − 1]

The minimum weight codewords of Rq (ν, m) are the codewords of A of weight

q k which are of the form (33).

Proof: This is an application of Corollary 3.8. In Lemma 3.17 we studied the

solutions of the system SC (δ), where C = R∗q (ν, m) and δ is the minimum
weight of C. We know that in this case the set of the solutions of SC (δ) is
the set of the minimum weight codewords of C. For any solution the Λi are
the coefficients of the MS polynomial, and the σi are the coefficients of the
locator polynomial of such a word. So we have proved that any minimum
weight codeword of C has a locator polynomial of the form (35).
On the other hand, we know from Proposition 3.14 that the roots of
such a polynomial are the non zero elements of some subspace Vk of F of

57
dimension k. Moreover we know that any codeword of the form (34) is a
minimum weight codeword of R∗q (ν, m). So the symbols of the minimum
weight codewords are from {0, 1}, up to a scalar multiplication. Indeed two
minimum weight codewords which have the same support are obtained one
from the other by scalar multiplication. The set of the minimum weight
codewords of C is the set of codewords of the form (34).
GRM codes are affine-invariant codes. Hence the minimum weight code-
words of Rq (ν, m) are the codewords of A of weight q k which are either an
extension of any minimum weight codeword of R∗q (ν, m) or any translation
of these extended codewords. They are the codewords X h x, where x is the
extension of a minimum weight codeword of R∗q (ν, m) and h ∈ F. These are
exactly the codewords of the form (33).


Comments on Section 3.2 Our purpose is to emphasize, with an elemen-

tary presentation, that any property of polynomials on finite fields can apply
to the description of codewords of cyclic codes. We have chosen to present
the best known polynomials concerned with codewords of cyclic codes. They
are more or less lacunar and this property, evidently, gives simplifications for
solving the algebraic systems of type (25).
It appears in [10] that binary narrow-sense BCH codes often have a min-
imum weight codeword which is an idempotent, and the authors ask for a
theoretical explanation of their numerical results.
In Theorem 3.15, the values of some power sum functions are given for
codewords whose supports are vector spaces. The result, due to Kasami et
al. [91], is based on a report from Pele [122]. Note that there is no other
general result on the other power sum functions of these codewords. We
remark that Theorem 3.18 gives the form of the coefficients of the locator
polynomials of codewords whose supports are vector spaces.
Denote by W the set of the minimum weight codewords of the binary BCH
code of length 2m − 1 and minimum distance 2m−2 − 1. It was proved that W
is equal to the set of the minimum weight codewords of the punctured Reed-
Muller code R∗2 (2, m) [9][41]. It is probably an exception which, however,
could happen also for some non binary primitive BCH codes. We know
that the p-ary Reed-Muller codes (extended or not) are generated by their
minimum weight codewords (see Chapter(Assmus-Key) and also [3]). This
leads to the general problem: for which other cyclic codes does this property

58
hold ?
The number of minimum weight codewords of GRM codes was obtained
by Delsarte, Gœthals and MacWilliams [64]. At the beginning of
their proof, the authors hasten to point out that it would be very desirable to
find a more sophisticated and shorter proof. Another description of the set
of minimum weight codewords was proposed in [20], but the proof used the
cardinality of this set. We cannot say, at present, if our method which leads
to the description of the set of minimum weight codewords of GRM codes
of some orders (Theorem 3.18) can be generalized to GRM codes of any
order. Furthermore we are not sure that it can provide a proof shorter than
the preceding. Actually our aim is merely to illustrate the use of Newton
identities and then to suggest other applications.

3.3 On the minimum distance of BCH codes

The BCH codes are, for many reasons, considered as the most important
cyclic codes. They are presented in Chapter 1 and appear in several others
(Tietaveinen-Huffman-Brualdi.Litsyn.Pless) because of their connection with
many open problems. In this section we want to present recent numerical
results on the true minimum distance of primitive binary BCH codes and
their duals. Actually there are few theoretical results for the pionering work
of Berlekamp [22, 23] and Kasami et al. [87, 88, 89, 90, 93]. In this con-
text there is a challenge which consists in the improvement of the numerical
results. This is a good way for testing the efficiency of algorithms for finding
minimum weight codewords in a given code. But above all the numerical
results could suggest interesting conjectures.
Recall that BCH codes are defined in Section 2.2 (Definition 2.9). In this
section we consider binary BCH codes of length 2m −1; we will always assume
that the designed distance is the smallest representative of its 2-cyclotomic
coset.
In the previous section we have pointed out that the problem of finding
the minimum distance of BCH codes is connected with the existence of some
kinds of polynomials. In Section 2.4 we indicated that the group algebra
approach can lead to applications on minimum distance of non binary BCH
codes. On the other hand the Weil bound is an interesting tool for studying
the duals (see Theorem 3.21). In the binary case this bound is actually the
so-called Carlitz-Ushiyama bound:

59
Theorem 3.19 Denote by B(δ) the binary BCH code of length 2m − 1 and
designed distance δ with δ = 2t + 1. Assume that

2t − 1 < 2dm/2e + 1 .

Then the weight w of any codeword in B ⊥ (δ) satisfies

2m−1 − 2m/2 (t − 1) ≤ w ≤ 2m−1 + 2m/2 (t − 1) .

Note that w must be even.

The BCH bound is generally a good bound for BCH codes since one can
say that the true minimum distance is roughly close to the BCH bound. It
is easy to find examples of non primitive binary BCH codes whose minimum
distance exceeds the BCH bound (see [111, p.205] and [47, 84]).
When the codes are binary and primitive, it is usually conjectured that
the true minimum distance d does not exceed δ + 4, δ being the designed
distance. Kasami and Tokura first proved that d can exceed δ [93, 1969].
This result was obtained by means of the divisibility of the RM codes. They
have shown that for any m > 6, m different from 8 and 12, there are some
binary BCH codes of length 2m − 1 and designed distance δ such that d > δ.
Quite recently Augot et al. completed the table of the minimum distance of
BCH codes of length 255 [9, 1991]. By using Newton identities they proved
that two such codes have true minimum distance δ + 2. These are the BCH
codes with designed distance 59 and 61. At the moment the case m = 12
remains open.
On the other hand the true minimum distances of BCH codes of length
511 are not all known. The more recent results are due to Canteaut and
Chabaud [38]. In their paper, a probabilistic algorithm for finding small-
weight words in any linear code is presented; this algorithm applies success-
fully to the determination of the minimum distance of some BCH codes.
The BCH codes of length n = 511, dimension k and designed distance δ
are listed in Table 3. The true minimum distance is denoted by d. When d
is known, we indicate the paper where the result can be found. We want to
conclude by some comments on the results presented in this table.
• The value of d is not known for six codes. These are the BCH codes
with designed distance

59 , 61 , 75 , 77 , 85 and 107.

60
 k δ d in k δ d in

502 3 3 [89] 241 73 73 [123]

493 5 5 [89] 238 75 ≥ 75 —
484 7 7 [89] 229 77 ≥ 77 —
475 9 9 ** 220 79 79 *
466 11 11 [89] 211 83 83 *
457 13 13 [76] 202 85 ≥ 85 —
448 15 15 [89] 193 87 87 ***
439 17 17 ** 184 91 91 *
430 19 19 * 175 93 95 # [93]
421 21 21 [123] 166 95 95 [89]
412 23 23 [89] 157 103 103 *
403 25 25 [76] 148 107 ≥ 107 —
394 27 27 [89] 139 109 111 # [93]
385 29 29 *** 130 111 111 [89]
376 31 31 [89] 121 117 119 # [93]
367 35 35 [123] 112 119 119 [89]
358 37 37 *** 103 123 127 ## *
349 39 39 * 94 125 127 # [93]
340 41 41 *** 85 127 127 [89]
331 43 43 *** 76 171 171 **
322 45 45 * 67 175 175 **
313 47 47 [89] 58 183 183 **
304 51 51 *** 49 187 187 **
295 53 53 * 40 191 191 [89]
286 55 55 [89] 31 219 219 [123]
277 57 57 * 28 223 223 [89]
268 59 ≥ 59 — 19 239 239 [89]
259 61 ≥ 61 — 10 255 255 [89]
250 63 63 [89]

# d=δ+2
## d = δ + 4
* new result obtained by Newton’s identities [9]
** new result obtained by an exhaustive search [9]
*** new result obtained with a probabilistic algorithm [38]
Table 3: The binary narrow-sense BCH codes of length 511, §3.3.
61
 • Most results are due to Kasami et al.. Theorem 1 of [89] applies to a
large class of BCH codes. It is obtained by studying the intersection of
BCH codes with shortened RM codes.

• Four codes have minimum distance δ + 2; this is due also to Kasami

et al. by using the 4-divisibility of the RM code of order four [93].
By using Newton identities, it was established that the BCH code of
designed distance 123 has minimum distance 127 [9]. Taking into ac-
count several numerical results, we conjecture that any BCH code of
length 2m − 1 and designed distance δ = 2m−2 − r, r = 3 or 5 has true
minimum distance greater than δ.

• We have 511 = 7 × 73. Consider B, a BCH code of length 511 whose

designed distance is δ = 7 × δ2 . For any available value of δ2 , the BCH
code of length 73 and designed distance δ2 has true minimum distance
δ2 . Hence B has true minimum distance δ. There is a similar property
when the designed distance is δ1 × 73. All these results can be derived
from a general one which can be found in [123, p.278]. Note that the
general context is the study of cyclic product codes [70, 103].

• The true minimum distances

d = 19, 39, 45, 53, 57, 79, 83, 91, 103,

are obtained by finding an idempotent of weight d or d + 1 in the code

[9].

• The true minimum distances 13 and 25 were computed by considering

a “shortened code” [76].

• When δ ≤ 9 one can also deduce d from [111, Theorem 2, p.259].

This general theorem, easily proved, shows that BCH codes with small
designed distance δ have true minimum distance δ.

On the other hand, the Carlitz-Ushiyama bound (CU bound) gives

an interesting estimation of the minimum distance of the dual B ⊥ (δ) of the
BCH code B(δ) of length 2m − 1 and designed distance δ. However this
bound is trivial when
δ ≥ 2dm/2e + 3 .

62
 δ Theoretical bound Schaub’s bound
3 128 128*
5 112 112*
7 96 96*
9 80 88
11 64 64
13 48 64
15 32 60
17 , 19 24 42
21 24 40
23, 25, 27 24 32
29 16 28
31 16 26
37 14 22
39 12 22
43, 45 12 20
47, 51, 53 12 16
55, 59 12 ?
61, 63, 85 8 ?
87, 91, 95, 111 6 ?
119, 127 4 ?

Table 4: Lower bounds for the minimum distance of duals of binary BCH
codes of length 255 and designed distance δ (see § 3.3).

63
Moreover it seems to be really significant only when the dimension of the
dual is small. The Weil bound, which can be used for any cyclic code, has
these drawbacks.
A recent study, due to Augot and Levy-dit-Vehel gives us new nu-
merical results on the minimum distance of duals of primitive BCH codes
[11]. In this paper the best known theoretical bound is checked by using
a new algorithm which is based on Theorem 2.5. The theoretical bound
is determined from the CU bound (the Weil bound for non binary codes)
and from the results of Levy-dit-Vehel. In [100, 101], she determined
the divisibility of duals of primitive BCH codes and gave new lower bounds
for duals of large dimension (when the other bounds do not work). On the
other hand an algorithmic method, due to Massey and Schaub, called the
rank-bounding algorithm [115, 127], was implemented. The results on du-
als of primitive BCH codes are surprisingly higher than all previously known
bounds [11][100].
As an example we give in Table 4 the lower bound on the minimum
distance of binary codes B ⊥ (δ) of length 255. The symbol “∗ ” means that
the bound is the true minimum distance. The sign “?” means that the rank-
bounding algorithm fails; it cannot compute the bound. The CU bound
does not work for δ > 19. When δ ≤ 19 the theoretical lower bound is
“combinatorial”, based on the Roos bound [101]. One can see that for 13 ≤
δ ≤ 53 the rank-bounding algorithm produces a lower bound widely higher
than the theoretical lower bound. Generally the numerical results obtained
in this way show that the approximation of the minimum distance of the
duals of primitive BCH codes remains an open problem.

Comments on Section 3.3 In this section we pointed out the interest

in some recent numerical observations concerning specific difficult questions;
they induce or strengthen several conjectures. The general problem is, how-
ever, the determination of the weight enumerators of any BCH code.
The most recent numerical results on the weight distributions of BCH
codes are due to Desaki, Fujiwara and Kasami [65]. By using an orig-
inal algorithm, the authors obtain all weight enumerators of extended bi-
nary primitive BCH codes of length 128. They observe that the extended
BCH code of length 128 and dimension k has the same weight distribu-
tion as the dual of the extended BCH code of dimension 128 − k, when
k = 29, 36, 43, 64, 85, 92, 99.

64
 There is a lot of work on the CU bound, the Weil bound and their ap-
plications to cyclic codes. This subject is treated in Chapter(Tietavainen).
The recent work of Rodier [126] on duals of binary primitive BCH codes is
also explained in that chapter.

3.4 On the weight enumerators

To find new tools for the study of weight enumerators is a classical research
problem in coding theory. We wish to show that it is a motivating subject by
presenting some fundamental tools through famous unsolved problems and
examples. These tools – in particular, the MacWilliams transform, the Pless
identities, invariant theory and Gauss sums – provide important, but partial,
results. So it appears that it is necessary to find new tools or original methods
combining several tools in order to solve a number of essential problems.
We assume that the basic presentation, given in Chapter 1 (Section 10),
is known.
We would like to introduce this section by recalling two important theo-
rems. The first one, due to McEliece [105], provides an algorithm for the
determination of the divisibility of any given p-ary cyclic code; an application
will be presented in Section 3.4.3 (Proposition 3.35). The second one gives
a lower bound and an upper bound for the weights of cyclic codes. It comes
from the results of Weil and Serre on the number of rational points of
algebraic curves and was adapted by Wolfmann to the case of cyclic codes
[146]; the use of this theorem is explained in the next example.

Theorem 3.20 Let C be a cyclic code of length n over k where k is a prime

field of order p. Let T be the defining set of C and denote by U the set
{ s ∈ [0, n − 1] | s 6∈ T }. Suppose that 0 6∈ U . Let w be the smallest integer
satisfying
1. w ≡ 0 (mod p − 1), and
2. there are w elements
P of U (with repetition allowed), say u1 , . . . , uw ,
such that the sum w i=1 ui equals 0 modulo n. Note that any element
may occur t times, t ≤ p − 1.
Then for any c ∈ C, the weight of c satisfies
w
wt(c) ≡ 0 (mod pλ ) , λ = −1 .
p−1

65
Moreover there is a c in C such that wt(c) 6≡ 0 (mod pλ+1 ). In other words,
the code C is pλ -divisible and not pλ+1 -divisible
Theorem 3.21 Let C be a cyclic code of length n over k, the field of order
0 0
q. Set nν = q m − 1, where q m is the order of F, the splitting field of X n − 1.
Let T be the defining set of C and let T ⊥ be the defining set of C ⊥ . Denote
by J a set of representatives of the cyclotomic cosets of q modulo n belonging
to T ⊥ . Let θ be the biggest element in J .
If every element of J is prime to p, then the non-zero weights w of C
satisfy :
(i) If 0 ∈ T then
 
 m0 −1
(q − 1)  (θν − 1)(q − 1)
 w−q ≤ b2q
m0
2 c .
 ν  2νq

(ii) If 0 6∈ T then
 
 m0 −1
(q − 1) − 1  (θν − 1)(q − 1)
 w−q ≤ m0
b2q 2 c .
 ν  2νq

Example 3.22 In order to explain the use of Theorem 3.21, we study the
dual C of the ternary BCH [80, 68, 5] code. Thus q = 3, n = 34 − 1 = 80
(ν = 1 and m0 = 4) and the defining set of C ⊥ is
T ⊥ = {1, 3, 9, 27} ∪ {2, 6, 18, 54} ∪ {4, 12, 36, 28} .
The defining set of C is the set of those t such that n − t 6∈ T ⊥ ; in particular
0 ∈ T . The set J is a system of representatives of the cyclotomic cosets
included in T ⊥ ; each representative must be prime to 3. Clearly the best
choice, producing the best bound, is J = {1, 2, 4}, implying θ = 4. According
to Theorem 3.21 (i), the non zero weights w of C satisfy
2(4 − 1) 2(4 − 1)
2.33 − 2.32 ≤ w ≤ 2.33 + 2.32
6 6
giving 36 ≤ w ≤ 72. These bounds are attained. By using the coding package
of MAGMA we obtain the weight enumerator of C, say W (x, y),
W (x, y) = x80 + 800x44 y 36 + 26720x35 y 45 + 77220x32 y 48
+108000x29 y 51 + 154880x26 y 54 + 112320x23 y 57
+37800x20 y 60 + 13600x17 y 63 + 100x8 y 72 .

66
Note that C is self-orthogonal; therefore it is 3-divisible. The Weil bound
gives an excellent result; this is because the dimension of C ⊥ is small, as we
noticed in Section 3.3.

3.4.1 The Reed-Muller codes

The weight enumerators of GRM codes are not known. This fundamental
problem is heavily connected with many open problems on primitive codes
and on related discrete objects.
In particular few weight enumerators of binary Reed-Muller codes are
known. The weight enumerators of the RM codes of orders one and two are
known. As R2 (m − ν − 1, m) is dual to R2 (ν, m), the weight enumerators
of R2 (m − 2, m) and of R2 (m − 3, m) are also known (see Theorem 13.3 of
Chapter 1). It is an old problem to find the weight enumerators of R2 (ν, m),
3 ≤ ν ≤ m − 4.
Carlet pointed out that it is as difficult to find a general characterization
of the weights in the RM code of order three as it is to obtain one in the RM
codes of any order [39]. In any case it seems that the problem is to find a
good formulation. Such a formulation was found for the self-dual RM codes.
Assume that m is odd and set τ = (m − 1)/2. The code R2 (τ, m) is
equal to its dual since m − τ − 1 = τ . On the other hand the divisibility
of RM codes is well-known to be 2dm/νe−1 , where ν is the order (see a proof
in Chapter(tietav-honkala) Theorem 4.17). So all weights in R2 (τ, m) are
divisible by four – i.e. R2 (τ, m) is a doubly-even self-dual code. The general
form of weight enumerators of doubly-even binary self-dual codes is known
from the work of Gleason. We have for R2 (τ, m) the following result.

Theorem 3.23 Let φ8 and φ24 be respectively the weight enumerator of the
extended Hamming code and the weight enumerator of the extended Golay
code:
φ8 = x8 + 14x4 y 4 + y 8
and
φ24 = x24 + 759 (x16 y 8 + x8 y 16 ) + 2576 x12 y 12 + y 24 .
Then the weight enumerator of R2 (τ, m), τ = (m − 1)/2 and m odd, is of
the form
m−3 m−3 −3 m−3 −3i
Wm (x, y) = a0 φ82 +a1 φ28 φ24 +. . . +ai φ82 φi24 +. . . +ar φ8 φr24 , (36)

67
where r = (2m−3 − 1)/3 and the ai are numbers to be determined. Now,
setting t = (m + 1)/2, the coefficients bi of Wm (x, y) satisfy:
1. if i 6≡ 0 (mod 4), then bi = 0 ,
2. b1 = b2 = . . . = b2t −1 = 0, and
3. if 2t ≤ s < 2t+1 and s 6∈ { 2t+1 − 2j | 2 ≤ j ≤ t }, then bs = 0.

Proof: Recall the notation of Wm (x, y):

X
2 m

Wm (x, y) = bi xn−i y i
i=0

where bi is the number of codewords of weight i in R2 (τ, m). As the code

is 4-divisible, any bi such that i 6≡ 0 (mod 4) is zero. Formula (36) is due
to Gleason [69]. We have written his general formula only for length 2m .
Note that 3 divides 2m−3 − 1 because m is odd.
The minimum weight of R2 (τ, m) is 2t , t = m − τ = (m + 1)/2. This may
be deduced from the BCH bound, implying the second condition on the bi .
The third one is deduced from a general result of Kasami [92] (see comments
in Section 3.4.1).

The weight enumerators of the self-dual RM codes are not known for
m ≥ 9. In the following example we will show how one can determine
Wm (x, y) for lengths 32 and 128 by means of the previous theorem.

Example 3.24 First recall that R2 (1, 3) is the extended Hamming code and
then W3 (x, y) is exactly φ8 (x, y). The code R2 (2, 5) is a [32, 16, 8] self-dual
code; we obtain from (36):
W5 (x, y) = a0 φ48 + a1 φ8 φ24
= a0 (x8 + 14x4 y 4 + y 8 )4 + a1 (x8 + 14x4 y 4 + y 8 )
(x24 + 759x16 y 8 + 2576x12 y 12 + 759x8 y 16 + y 24 ) .
Since there is only one codeword of weight zero, we have a0 + a1 = 1.
Moreover the code has no codeword of weight four and the coefficient of
x28 y 4 is 14(4a0 + a1 ). This leads to a0 = −1/3 and a1 = 4/3, giving
W5 (x, y) = x32 +620 x24 y 8 +13888 x20 y 12 +36518 x16 y 16 +13888 x12 y 20 +620 x8 y 24 +y 32 .

68
Note that we have proved again that the weight enumerator of all doubly-
even self-dual [32, 16, 8] codes is unique. Actually this code is extremal and
this property holds for any extremal doubly-even self-dual code (see Section
10 of Chapter 1).
The code R2 (3, 7) is a [128, 64, 16] doubly-even self-dual code with weight
enumerator of the following form:

W7 (x, y) = a0 φ16 13 10 2 7 3 4 4 5
8 + a1 φ8 φ24 + a2 φ8 φ24 + a3 φ8 φ24 + a4 φ8 φ24 + a5 φ8 φ24 ,

where a0 , . . . , a5 are not known. By using this formula, is it possible to

determine all the coefficients bi of the polynomial W7 (x, y)?
We have b0 = 1 and, according to Theorem 3.23, b4 = b8 = b12 = b20 =
0. Moreover, the number b16 of minimum weight codewords of R2 (3, 7) is
3309747 (see [111, Chapter 13, Theorem 9]). By computing the corresponding
coefficients in W7 (x, y) we obtain successively:

a0 = 1 − a1 − . . . − a5 , a1 = 16/3 − 2a2 − 4a3 − 3a4 − 5a5 ,

a2 = 4084/441 − 3a3 − 6a4 − 10a5 , a3 = 17944/3087 − 4a4 − 10a5 ,

a4 = 46568/46305 − 79a5 /20 , a5 = 5628589/5445468 .
We solved the equations on the bi by using a symbolic computation software.
The coefficients of W7 (x, y) are given in Table 5. As we have determined
W7 (x, y), we know the weight enumerators of all RM codes of length 128.
Indeed the other RM codes of length 128 are those of order one and two and
their duals.

Comments on Section 3.4.1 Our main reference on self-dual codes is

[111, chapter 19], where an extensive study of the work of Gleason is given.
See also Chapter 1 and Chapter(sloane). The self-dual affine-invariant codes
are studied in [54] (for characteristic 2 only). Generally an extended cyclic
code which is self-dual is doubly-even (see a proof in [99]). For this reason,
it is clear for us that there is no self-dual binary extended narrow-sense BCH
code. In a recent paper, the weight distributions of binary extended narrow-
sense BCH codes of length 128 are given [65]. Hence the extended [128, 64, 22]
BCH code is formally self-dual.
Kasami and Tokura determined in [92] the number of codewords of
weight w, d ≤ w < 2d, of any RM code of minimum weight d (see also [111,

69
 weights number of words weights number of words
16, 112 3309747 44, 84 50059881835741
24, 104 2144705388 48, 80 94150059881835741
28, 100 9507508544 52, 76 549678173926151424
32, 96 37527010290 56, 72 1920946561829079256
36, 92 19957889171264 60, 68 4051419446028441984
40, 88 94150059881835741 64 5194232755773662458

Table 5: Weight enumerator of the binary self-dual Reed-Muller code of

length 128.

chapter 15]). However this knowledge is not sufficient for determining the
weight enumerator of the self-dual RM code R2 (4, 9) of length 512 using the
method of Example 3.24. In this case the number of indeterminates is 21
while we know the value of only 16 coefficients bi in W9 (x, y). Are there other
invariants, like φ8 and φ24 , especially for weight enumerators of RM codes ?
The weight enumerators of RM codes of length 2m , m ≤ 8, are known.
They are studied and given in [143]. The most recent result on RM codes of
length 29 is due to Sugita et al. who have determined the weight enumerator
of R2 (3, 9) (see [135] and their references). Since the dual of R2 (3, 9) is
R2 (5, 9), only the weight enumerator of R2 (4, 9), the self-dual code, remains
unknown.
Little is known about weight enumerators of GRM codes except their
divisibilities and the set of their minimum weight codewords. Can the result
of Kasami and Tokura [92] be generalized ? Note however that the weight
enumerator of any GRM code of order two was given by McEliece [104].
For the minimum weight codewords of GRM codes, see comments in Section
3.2.
On the relatives of GRM codes (see [64] and Chapter(Assmus-Key)), we
want to mention the projective GRM codes. Sorensen has studied their
parameters in [133]; in particular he gave their minimum distances. Moreover
he proved that some of these codes are cyclic, describing precisely a subclass
of cyclic projective GRM codes.

70
3.4.2 On cyclic codes with two zeros
In this section we consider binary codes of length n = 2m − 1. Recall that the
field of order 2m , the support field, is denoted by F and that α is a primitive
nth root of the unity. Moreover codes are cyclic and have only two zeros,
i.e. the defining set is composed of two distinct 2-cyclotomic cosets modulo
n. For short we will say T = {r, s} for such a defining set, where r and s are
the coset representatives, and the code with defining set T will be denoted
by Cr,s .
This section is concerned with the classification of the codes Cr,s by means
of their minimum distance. Our aim is to recall that this classification is not
yet achieved; furthermore the determination of the weight enumerators ap-
pears as a most difficult problem. At the moment the known tools, that we
will present in proving Theorem 3.30, are efficient only for the characteriza-
tion of codes which are optimal in a certain sense. We begin by showing
that the minimum distance of the codes Cr,s cannot be more than 5.

Theorem 3.25 Let n = 2m − 1, m ≥ 4. Let Cr,s be the binary cyclic code

with defining set {r, s} and minimum distance d. Then we have

(i) 2 ≤ d ≤ 5 and

(ii) d = 2 if and only if gcd(r, s, n) > 1.

Proof: The parity check matrix of Cr,s has the form

 
1 αr α2r . . . α(n−1)r
H= .
1 αs α2s . . . α(n−1)s

The dimension k of Cr,s satisfies k ≥ n − 2m. As there is no zero column in

H, d ≥ 2.
On the other hand, the sphere packing bound gives d ≤ 6 (see Chapter
1, Section 2) and the existence of an [n, k, d] code obviously induces the
existence of an [n − 1, k, d − 1] code. Assuming d = 6, we could construct a
[2m − 2, k, 5] code with k ≥ 2m − 1 − 2m. But such a code does not exist (see
[33]). Finally 2 ≤ d ≤ 5 completing the proof of (i).
The code Cr,s contains a codeword of weight 2 if and only if two columns
of H are equal; one can easily check that this is equivalent to gcd(r, s, n) > 1.


71
 Considering the codes C1,` , van Lint and Wilson presented another
proof of this last theorem and gave a further result: if gcd(`, n) > 1 and m
is odd, the minimum distance of C1,` is at most four [141, Theorem 12].
We remark that the minimum distance of codes with defining set {1, `} is
clearly dependent upon properties of affine subspaces of dimension two, a fact
that we noticed in the comments P of Section 3.2. Indeed denote by V a subset
of four distinct elements of F; if v∈V v = 0 then V is a 2-dimensional affine
subspace of F; it is a linear subspace when V contains 0. So Theorem 3.25
and the result above are related to the values of the `th power sum functions
of the affine subspaces of dimension two and can be rewritten as follows
Corollary 3.26 The minimum distance of C1,` is at most five. It is three or
P if and
four only if there is an affine subspace V of F of dimension 2 satisfying
v∈V v = 0. This is always the case when gcd(`, n) 6= 1 and m is odd.
`

The purpose of van Lint and Wilson in [141] is to prove that cyclic
codes with only two zeros are generally bad. According to Theorem 3.25,
“bad” means that d ≤ 4. In [142], the same authors use a deep theorem of
algebraic geometry for studying the special case ` = 7. They proved that the
minimum distance is less than or equal to 4 when m ≥ 18. It was later shown
that this property holds when m < 18, unless m = 5, by computing some
codewords of weight four [6]. The method introduced in [142] was generalized
by Janwa et al. [81, 82], providing a lot of results which strengthened the
previous conjecture. By applying a form of Weil’s theorem they showed
that, for a large class of codes with defining set {1, `}, only a finite number
could be “good”. However the problem of finding codes with defining set
{1, `} and minimum distance five remains open. The known classes are the
class of the Melas codes (see Example 3.27) and two famous other classes
due to Kasami [87, 88]:
• The first one is composed of codes C1,` with ` = 2i +1 and gcd(i, m) = 1.
Note that their duals are in R∗2 (2, m), the punctured RM code of order
two (see an extensive study in [111, Chapter 15]). The Preparata codes
are constructed by concatenating some of their cosets (see §4.3).
• The second one corresponds to those ` such that ` = 22i − 2i + 1 with
gcd(i, m) = 1 (the proof for m even is actually due to Janwa et al.).
These classes are both of most interest when m is odd because they are
composed of codes which are optimal in the following sense: the dual code has

72
only three weights and the best minimum distance; the weight enumerator
of the dual is unique, equal to those of the dual of the 2-error-correcting
BCH code. We have here exceptional objects which appear in other contexts,
as the study of parameters of sequences (see Chapter(Kumar-helleseth)) or
the determination of cryptographic primitives with “good” properties (see
Section 4.1).
The remainder of this section will be devoted to the characterization
of these optimal objects. On the other hand the Melas codes, which have
minimum distance 5 when m is odd, are never optimal as we show now.
Example 3.27 The Melas code Mm is the cyclic code of length n = 2m − 1
with defining set {1, −1}. When m is odd, the minimum distance is 5; this
can be proved by using the Hartmann–Tzeng bound (see Chapter 1, Theorem
6.3).
Indeed the defining set contains these three pairs:

(1, 2) , (2m−1 − 1, 2m−1 ) , (−1, − 2) ,

and so contains all the elements

1 + i + jc , 0 ≤ i ≤ δ − 2 , 0 ≤ j ≤ s ,

where δ = 3, s = 2 and c = 2m−1 − 2. Moreover gcd(2m − 1, c) = 1, since

2m −1 = (2m−1 −2)+(2m−1 +1) implies gcd(2m −1, c) = gcd(2m −1, 2m−1 +1),
and it is well-known that 2r + 1 is prime to 2m − 1, for any r, when m is odd.
Finally the HT bound is equal to δ + s = 5; this yields that the minimum
distance is exactly five.
When m is even the minimum distance of the codes Mm is three, since it
contains the codeword whose locators are
2m − 1
1 , αλ , α2λ with λ= ,
3
the three non zero elements of the field of order four. On the other hand
the dual of Mm has “many” weights. This was established by Lachaud and
Wolfmann [94] (see more in Section 3.4.3).
Now we come back to the optimal codes. We will focus on the exceptional
properties of the codes of length 2m − 1, m odd, with defining set

{ 1, 22i − 2i + 1 } , gcd(i, m) = 1 , (37)

73
in proving Theorem 3.32 later. These codes are equivalent to codes of type
Cr,s , r = 2i + 1 and s = 23i+1 ; the dual of Cr,s is then contained in the
RM code of order 2. Kasami proved that such codes are optimal in a more
general context, the determination of the weight enumerator of a number of
cyclic subcodes of the RM code of order 2 [88, Remark 3].
To prove that these codes Cr,s are optimal necessitates the use of several
classical tools; it is interesting to notice that, at the moment, the optimality
can be proved only for subcodes of R∗ (2, m) – as we will show in the proof.
We have chosen the elements of the proof in [87][88] or [141] because we want
to present different methods which could apply to a large class of codes. The
restriction “m odd” is necessary here but not generally.
The main part of the proof is obtained by means of the first Pless power
moments. The `th-power moments, derived from MacWilliams identities,
were given by Pless in [124]. We need to recall the first four power moments,
for codes whose minimum distance is at least 3, and a fundamental theorem
(see also Chapter 1, §10).
Lemma 3.28 Let C be any linear code of length n and dimension k. Let
C ⊥ be the dual code. Let us denote by aw (resp. bw ), w ∈ [0, n], the number
of codewords of weight w in C (resp. in C ⊥ ). Assume that b1 = b2 = 0 –
i.e. the minimum distance of C ⊥ is at least three. Then the first four power
moments of the weight distribution of C (and C ⊥ ) are:
X
n
waw = 2k−1 n
w=0
X
n
w2 aw = 2k−2 n(n + 1)
w=0
X
n
w3 aw = 2k−3 (n2 (n + 3) − 3! b3 )
w=0
Xn
w4 aw = 2k−4 (n(n + 1)(n2 + 5n − 2) + 4! (b4 − nb3 )) . (38)
w=0

Our notation is that of Lemma 3.28.

Theorem 3.29 [Theorem 10.7, Chapter 1] Let S be a subset of [1, n] con-
taining s elements. Then the weight distributions of C and C ⊥ are uniquely
determined by b1 , b2 , . . . , bs−1 and the ai with i 6∈ S.

74
 The next theorem is actually due to Kasami [87, Theorem 13]. We give
a more general presentation, including codes of any dimension.
Theorem 3.30 Let C be any linear code of length n and dimension k where
n = 2m − 1 and m is odd. Suppose that C does not contain the all-one vector.
Assume that the dual code C ⊥ has minimum distance at least three. Let us
denote by aw (resp. bw ), w ∈ [0, n], the number of codewords of weight w in
C (resp. in C ⊥ ). Let w0 be the smallest w such that
aw + a2m −w 6= 0 , 0 < w < 2m−1 .
The dimension of C cannot satisfy k < m; for k ≥ m we have the following
statements.
(i) If k ≥ 2m then w0 satisfies
w0 ≤ 2m−1 − 2(m−1)/2 .
Moreover if equality holds, then b3 = b4 = 0, k = 2m and the weight
distribution of C is the same as the weight distribution of the dual of
the double-error-correcting BCH code, which is
Weight Number of words

0 1
2m−1 − 2(m−1)/2 (2m − 1)(2m−2 + 2(m−3)/2 )
2m−1 (2m − 1)(2m + 1)
2m−1
+ 2(m−1)/2 (2 − 1)(2m−2 − 2(m−3)/2 )
m

(ii) If m ≤ k < 2m, then the minimum distance of C ⊥ is at most four.

Moreover if w0 ≥ 2m−1 − 2(m−1)/2 , then


b3 + b4 ≤ (2m−1 − 1)(23m−3 − 2k+m−3 ) /(3.2k−1 ) . (39)
Pn
w=1 (w − 2
m−1 `
Proof: We consider the identities I` = ) aw . Since for ` even
(w − 2m−1 )` = ((2m − w) − 2m−1 )` ,
we have for any even ` that
X
n X−1
2m−1
I` = (w − 2
m−1 `
) aw = (w − 2m−1 )` (aw + a2m −w ) . (40)
w=1 w=w0

75
Note that the codeword of weight zero is not taken into account in the sum
above; on the other hand, by hypothesis, C does not contain the all-one
codeword.
The values of I2 and I4 are simply obtained by using the four power
moments given by (38). WePdo not develop all the computations, indicating
the way only. Recall that w=1 aw = 2k − 1.
n

X
n X
n X
n
I2 = 2 2m−2
aw − 2
m
waw + w 2 aw
w=1 w=1 w=1
= 2 2m−2
(2 − 1) − 2 2
k m k−1
n+2 k−2
n(n + 1) ,

X
n


I4 = 24m−4 aw − 23m−1 waw + 3.22m−1 w2 aw − 2m+1 w3 aw + w4 aw
w=1
= 2 (2k − 1) − 23m+k−2 n + 3.22m+k−3 n(n + 1) − 2m+k−2 (n2 (n + 3) − 3! b3 )
4m−4

+2k−4 (n(n + 1)(n2 + 5n − 2) + 4! (b4 − nb3 )) .

We replace n by 2m − 1 and obtain

I2 = 2k+m−2 − 22m−2 (41)

and
I4 = 2k+m−4 (3.2m − 2) − 24m−4 + 3.2k−1 (b3 + b4 ) . (42)
Now we consider by (40)

X−1
2m−1


I4 − 2 m−1
I2 = (w − 2m−1 )2 (w − 2m−1 )2 − 2m−1 (aw + a2m −w ) . (43)
w=w0

Note that |w − 2m−1 | ≤ 2(m−1)/2 implies that the wth term above is less than
or equal to zero. From (41) and (42) we have

I4 − 2m−1 I2 = (2m−1 − 1)(2k+m−3 − 23m−3 ) + 3.2k−1 (b3 + b4 ) . (44)

When k < m, the value of I2 is strictly negative which is impossible,

proving that C cannot satisfy the hypothesis of the theorem.
(i) Suppose that k ≥ 2m. Then, from (44), the value of I4 − 2m−1 I2 cannot
be negative. In the sum (43), the terms corresponding to those w satisfying

76
2m−1 − 2(m−1)/2 < w < 2m−1 are negative. Thus we have proved that the
value of w0 is at most 2m−1 − 2(m−1)/2 .
When w0 = 2m−1 − 2(m−1)/2 , the only possibility is I4 − 2m−1 I2 = 0 (see
(43)). We deduce from (44) that k = 2m and b3 + b4 = 0. Therefore C has
dimension 2m and C ⊥ has minimum distance at least five; moreover only
three aw are unknown which correspond to

w = 2m−1 ± 2(m−1)/2 or w = 2m−1 .

Now we apply Theorem 3.29. As b1 = b2 = 0 and the aw are unknown for

only three values of w, the weight enumerator of C (and of C ⊥ ) is unique.
Since the 2-error-correcting BCH code satisfies our hypothesis, its weight
polynomial is the solution.
(ii) If k = m, then I2 = 0, proving that C has only one weight, w = 2m−1 , –
i.e. the code C has the same weight distribution as the simplex code.
Assume that m ≤ k < 2m. There is no linear code with parameters
[2 −2, k 0 ≥ 2m −2m−1, 5] [33]. If there exists a linear [2m −1, 2m −2m, 5] code
m

then we can construct a linear [2m − 2, 2m − 2m − 1, 5] code, a contradiction.

So the minimum distance of C ⊥ is at most four.
When w0 ≥ 2m−1 − 2(m−1)/2 , the value of I4 − 2m−1 I2 must be less than
or equal to zero (see (44)), giving condition (39) on b3 + b4 and completing
the proof.


Corollary 3.31 The hypotheses are those of Theorem 3.30. Furthermore

k = 2m.
When C is a subcode of R∗ (2, m), the punctured RM code of order two,
then w0 equals 2m−1 − 2(m−1)/2 if and only if b3 = b4 = 0.
In other words, the weight enumerator of C is the same as the weight
enumerator of the dual of the double-error-correcting BCH code if and only
if C has minimum distance five.

Proof: The weight distribution of the code R∗ (2, m) is well-known (see Theo-
rem 13.3 of Chapter 1). In particular when m is odd, this code has no words
of weight w such that 2m−1 − 2(m−1)/2 < w < 2m−1 . Therefore this property
holds for any subcode C of R∗ (2, m). So in accordance with (43) and (44),

77
we have
X
2m−1 −2(m−1)/2

I4 − 2m−1
I2 = (w − 2m−1 )2 [(w − 2m−1 )2 − 2m−1 ](aw + a2m −w )
w=w0
k−1
= 3.2 (b3 + b4 ) ,

where (w − 2m−1 )2 − 2m−1 ≥ 0 for any w in the range [w0 , 2m−1 − 2(m−1)/2 ].
Then b3 +b4 = 0 means aw +a2m −w = 0 unless w is in { 2m−1 ±2(m−1)/2 , 2m−1 }.


Theorem 3.32 Let n = 2m − 1, where m is odd, m > 4. Let m = 2t + 1 and

j ∈ [1, t] such that gcd(j, m) = 1. Let C be the binary cyclic code of length n
with defining set
{ 2j + 1, 23j + 1 mod n },
Then the minimum distance of C is five. Moreover the weight distribution of
the dual code C ⊥ is exactly the weight distribution of the dual of the double-
error-correcting BCH code (see Theorem 3.30).
Note that C is equivalent to the code whose defining set is given by (37).

Proof : Note that the value of 23j + 1 is to be considered modulo 2m − 1.

Let us denote by d the minimum distance of C; we know from Theorem 3.25
that d ≤ 5. First we remark that

23j + 1 = (2j + 1)(22j − 2j + 1) with gcd(2j + 1, n) = 1 ,

since m is odd. Then the code C is equivalent to the code C1,t , t = 22j −2j +1
(see (37)).
The dual of C is the cyclic code with defining set

{ 0, . . . , n − 1 } \ cl(2m − 2j − 1) ∪ cl(2m − 23j − 1) .

Recall that the defining set of R∗ (2, m) is

{ s ∈ [0, n − 1] | 0 < wt2 (s) < m − 2 }.

So C ⊥ is contained in R∗ (2, m). Hence if we show that d ≥ 5, then we can

apply Corollary 3.31 and prove the theorem.
After the first proof of Kasami it was proved that d = 5 by van Lint
and Wilson [141] and, more recently, by Janwa et al. [81].

78
 We will briefly explain the proof given in [141, Theorem 17]. For any
subset of F∗ , let A = {αi1 , . . . , αiu }, denote by M (A) the following matrix
 
1 αi1 α2i1 . . . α(n−1)i1
 1 αi2 α2i2 . . . α(n−1)i2 
M (A) =  1 ..


.. . . . ..
1 αiu α2iu . . . α(n−1)iu

For a fixed `, consider the ranks of any ` columns of M (A). We denote

by r(`, A) the minimum of these ranks. For any two subsets A and B, the
product of A and B is denoted by AB. This is the set of the elements ξν,
ξ ∈ A and ν ∈ B. In accordance with [141, Theorem 5], every time we can
find A and B such that AB is contained in the defining set of C, then we
have the following property: there could be a codeword of weight ` in C only
if ` satisfies
r(`, A) + r(`, B) ≤ ` .
Taking A = {α2 , α2 } and B = {α, α2 , α2 }, it is easy to check that
j 3j 2j 4j

AB is contained in the defining set of C. Moreover it is clear that any two

columns of M (A) have rank two. It is proved in [141, Lemma 4] that any
four columns of M (B) have rank three. Now suppose that there exists a
codeword x ∈ C of weight `, with 3 ≤ ` ≤ 5. Then for each value of ` we
have r(`, A) ≥ 2 and r(`, B) ≥ 3, implying ` ≥ 5. We have proved that
d = 5.
Since C ⊥ is in R∗ (2, m) and the minimum distance of C is five, then the
weight enumerator of C ⊥ is exactly the weight enumerator of the dual of the
double-error-correcting BCH code, completing the proof.


Explanation of Tables 6, 7 and 8 Our purpose is to illustrate this

section by giving the minimum distance and the weight enumerators of the
dual codes of all codes C1,` of length 511. Recall that C1,` is the binary cyclic
code whose zero’s are α, α` and their conjugates – α being a primitive root
of GF (29 ).
In Table 6, we give for each value of ` the minimum distance d of C1,` and
⊥
a reference pi denoting the weight enumerator of C1,` . Since there are 60 2-
cyclotomic cosets modulo 511, there are 59 codes C1,` . Two such codes can
only be equivalent under a multiplier, because 511 and ϕ(511) are relatively
prime (ϕ is the Euler function). This means that C1,` is equivalent to C1,t

79
 ` d wed ` d wed ` d wed ` d wed ` d wed
3 5 p1 5 5 p1 7 4 p2 9 3 p3 11 3 p4
13 5 p1 15 3 p5 17 5 p1 19 5 p1 21 4 p2
23 3 p4 25 3 p4 27 5 p1 29 3 p6 31 5 p1
35 4 p2 37 3 p7 39 3 p8 41 4 p9 43 3 p4
45 4 p10 47 5 p1 51 3 p11 53 3 p6 55 3 p12
57 3 p3 59 5 p1 61 4 p13 63 4 p14 73 3 p15
75 3 p16 77 3 p17 79 3 p6 83 4 p18 85 3 p19
87 5 p1 91 4 p20 93 3 p4 95 3 p8 103 5 p1
107 3 p4 109 3 p4 111 4 p13 117 4 p18 119 4 p21
123 3 p6 125 4 p10 127 3 p19 171 5 p1 175 4 p22
183 3 p7 187 4 p9 191 3 p11 219 3 p23 223 3 p12
239 3 p5 255 5 p24

Table 6: The codes C1,` of length 511; d is the minimum distance and wed
designates the weight enumerator of the dual code. The weight enumerators
pi are given in Tables 7 and 8. These tables are explained at the end of
Section 3.4.2.

if and only if t = `−1 with gcd(`, 511) = 1, where the inverse is calculated
modulo 511 (see Theorem 5.22 in Chapter 1).
The weight enumerators pi are given in Table 7 (list 1) and Table 8
(list 2). One obtains, in all, 24 weight enumerators pi , 1 ≤ i ≤ 24.
Note that 12 codes have p1 as weight enumerator; 5 of them, C1,` with ` ∈
{3, 5, 13, 17, 47}, are duals of the known optimal codes previously described.
The code C1,19 corresponds to the Welsh conjecture, that we give below. Up
to equivalence we have then all the optimal codes we expected. The only
non optimal code with minimum distance 5 is C1,255 , the Melas code. This
situation does not hold for m > 9. Other optimal codes and other non
optimal codes with minimum distance 5 will appear.
To conclude we remark that other weight enumerators, such as p4 , appear
several times. Note that the weight enumerators p15 and p23 have minimum
weight greater than 240.

Comments on Section3.4.2 As we already said, the properties of the

binary primitive codes with two zeros are linked with the properties of se-
quences (see a recent example in [35]); for instance codes with two zeros and

80
 p1 w 240 256 272
aw 69496 131327 61320
p2 w 196 228 232 236 244 248 252 256 260
aw 73 511 9198 13797 13797 45990 64605 511 18396
w 264 268 276 280 284
aw 52122 29127 4599 4818 4599
p3 w 224 256 288
aw 18396 229439 14308
p4 w 224 240 256 272 288
aw 4599 55188 146657 55188 511
p5 w 224 232 236 240 244 248 252 256 260
aw 4599 4599 9198 9198 19929 22995 51100 37814 27594
w 264 268 272 276 280
aw 32193 9198 18396 13797 1533
p6 w 216 232 240 248 256 264 272 280
aw 511 13797 27594 50589 76139 59787 27594 6132
p7 w 208 216 224 232 240 248 256 264 272
aw 1533 511 4599 10731 13797 50589 83804 68985 27594
p8 w 232 240 248 256 264 272 280 288
aw 15330 27594 50589 74606 55188 36792 1533 511
p9 w 224 232 240 248 256 264 272 280 312
aw 4599 4599 22995 70518 71540 50589 32193 4599 511
p10 w 232 240 248 256 264 272 280
aw 13797 18907 70518 79205 32193 41391 6132
p11 w 232 236 240 244 248 252 256 260 264
aw 15330 13797 4599 13797 18396 41902 42413 41391 27594
w 268 272 276 292
aw 13797 22995 4599 1533
p12 w 204 212 232 236 240 244 248 252 256
aw 511 1533 10731 13797 4599 13797 18396 36792 51611
w 260 264 268 272 276
aw 36792 32193 18396 13797 9198
p13 w 232 240 248 256 264 272 280 312
aw 13797 27594 52122 76139 59787 27594 4599 511

Table 7: The weight enumerators of the duals of the codes C1,` of length 511:
list 1. The number of codewords of weight w is denoted by aw . This table is
explained at the end of Section 3.4.2.

81
 p14 w 196 228 236 240 244 248 252 256 260
aw 73 4599 4599 24528 27594 18396 41610 28105 36792
w 264 268 272 276 280 300
aw 27594 24528 9198 9198 4818 511
p15 w 244 256 260 276 292
aw 1533 511 1533 511 7
p16 w 208 224 232 240 248 256 264 272
aw 1533 1533 9198 28105 55188 56210 82782 27594
p17 w 196 216 220 228 232 236 244 248 252
aw 73 1533 1533 511 9198 13797 13797 36792 55407
w 256 260 264 268 276 280
aw 511 18396 64386 41391 4599 219
p18 w 224 232 240 248 256 264 272 280 312
aw 1533 4599 41391 55188 56210 68985 32193 1533 511
p19 w 228 232 240 244 248 252 256 260 264
aw 9198 4599 13797 18396 36792 32704 30149 45990 22995
w 268 272 280
aw 24528 13797 9198
p20 w 196 228 232 236 244 248 252 256 260
aw 73 511 4599 18396 13797 59787 50808 511 18396
w 264 268 276 280
aw 38325 42924 4599 9417
p21 w 196 220 232 236 240 244 248 252 256
aw 73 1533 4599 4599 13797 36792 22995 37011 32704
w 260 264 268 272 276 280 288 300
aw 32193 22995 27594 13797 9198 219 1533 511
p22 w 196 232 236 240 244 248 252 256 260
aw 73 4599 13797 15330 27594 22995 27813 28105 50589
w 264 268 272 280 284 300
aw 22995 24528 18396 219 4599 511
p23 w 244 252 256 268 292
aw 1533 511 511 1533 7
p24 w 234 236 238 240 242 244 246 248 250
aw 4599 9198 4599 4599 22995 10731 9198 22995 9198
w 252 254 256 258 260 262 264 266 268
aw 13797 22995 10220 9709 18396 13797 13797 13797 4599
w 270 272 274 276 278
aw 9198 18396 9198 4599 1533

Table 8: The weight enumerators of the

82 duals of the codes C1,` of length 511:
list 2. The number of codewords of weight w is denoted by aw . This table is
explained at the end of Section 3.4.2.
minimum distance three provide binary sequences which have the trinomial
property. On the other hand we will give, in Section 4.1, an example of the
involvement of codes with two zeros in some cryptographic problems.
To characterize new cyclic codes with two zeros which are optimal, even
not optimal but with minimum distance five, remains a hard open problem.
There are no results other than those of Kasami. We want to mention the
oldest conjecture, the so-called conjecture of Welsh: the codes C1,` , of length
2m − 1, with
` = 2t + 3 and m = 2t + 1 ,
have minimum distance five; furthermore they have the same weight enumer-
ator as the 2-error-correcting BCH code.
The papers of Janwa et al. explain why generally the minimum weight
of binary cyclic codes with two zeros is not more than four [81][82]. On the
other hand, Charpin et al. introduced tools for the classification of primitive
binary cyclic codes of distance three [58]: when the length is 2m − 1 where
m is not a prime, one can characterize many such codes; in some cases it is
possible to give exactly the number of codewords of weight three. However
the whole description of cyclic codes of minimum distance three remains an
open, and apparently, difficult problem.
A very difficult problem is the determination of the weight enumerator
of cyclic codes with two zeros, even when codes whose minimum distance
is known are considered. All numerical results show that the number of
distinct weight enumerators for such codes increases with the length 2m − 1.
On the other hand several codes have the same weight enumerator and are
not equivalent. As an example, we treat the case m = 9 in Tables 6, 7 and
8 which are explained above.
Note that for cyclic codes whose duals are contained in the Reed-Muller
code of order two, the classification is not achieved. We do not know the
i k
weight enumerator of any cyclic code whose zeros have the form α2 +2 ; for
instance such codes which have the same weight enumerator as the 3-error-
correcting BCH code are not yet characterized (see [144]).
To conclude we want to mention possible extensions of the tools that we
have presented to other codes and to odd characteristics.

3.4.3 On irreducible cyclic codes

Irreducible cyclic codes are also said to be minimal cyclic codes because they
are the minimal ideals of the algebra Rn of cyclic codes of length n over k.

83
More precisely an irreducible cyclic code is a cyclic code which has only one
non zero (see Chapter 1, Theorem 5.25). We first present this definition in
the ambient space M = k[G∗ ], where k is the field of order q and G∗ is the
multiplicative group of order n over k (see §2.2). The splitting field of X n −1
0
is denoted by F and has order q m .

Definition 3.33 Let α be an nth root of unity. Denote by cl(t), 1 ≤ t ≤

n − 1, the q-cyclotomic coset modulo n containing t.
An irreducible cyclic code C with parameters [n, m0 ] is a cyclic code of M
whose defining set is of the form

{ s ∈ [0, n − 1] | s 6∈ cl(−k) } ,

where cl(−k) is assumed to have cardinality m0 . Then the MS polynomial of

C is
m0 −1 m0 −1 k
MC (X) = λX k + λq X kq + · · · + λq Xq mod n
, λ∈F.

Note that MC (X) = T r(λX k ) where T r is the trace function from F to k.

Set β = αk ; if β is an nth root of unity, then the codewords of C are the
n-tuples

T r(λ), T r(λβ), . . . , T r(λβ n−1 ) , λ ∈ F .
The code C is said to be an irreducible cyclic code with parameters [n, m0 ]
over k (it is defined up to equivalence).

Example 3.34 Let C be an irreducible binary cyclic code of length n = 23;

since the splitting field of X 23 − 1 is GF (211 ), the code C has parameters
[23, 11]. The 2-cyclotomic cosets modulo 23 are {0},

{ 1, 2, 4, 8, 16, 9, 18, 13, 3, 6, 12 }, and

{ 5, 10, 20, 17, 11, 22, 21, 19, 15, 7, 14 } .

Taking {0} ∪ cl(1) as the defining set of C, the MS polynomial is T r(λX),

λ ∈ GF (211 ). Note that cl(1) is the set of the quadratic residues in the
finite field of order 23. According to Definition 2.10, C is the [23, 11, 8]
quadratic residue code. It is the subcode of codewords of even weights of
the [23, 12, 7] Golay code. Golay codes are extensively studied in Chapter
1; see in particular Example 6.9 in Chapter 1 for the determination of the
minimum distance.

84
 It is important to remember that any [n, m0 ] irreducible cyclic code over
0
GF (q) is isomorphic to the finite field GF (q m ); although this correspondence
has no connection with the Hamming weight, it places irreducible codes at
the center of some work on finite fields. More generally the research on the
weight enumerator of irreducible cyclic codes remains important because of
the number of fundamental problems which are concerned with finite fields
– see for instance the links with the diagonal equations in Section 2.3.
The most significant work is due to McEliece et al. who pointed out the
existence of a close connection between irreducible cyclic codes and Gauss
sums over finite fields [14, 106, 108]. The main result, which is obtained by
means of a famous theorem of Davenport and Hasse, follows:
For any fixed prime p and for any positive integer k prime to p,
denote by m the multiplicative order of p modulo k. Define the
infinite sequence of irreducible cyclic codes Cj with parameters

[nj , mj] , nj = (pmj − 1)/k , j ≥ 1, on GF(p) . (45)

Then the calculation of the corresponding sequence of weight enu-

merators is reduced to the single calculation of the weight enu-
merator of C1 .
This work was inspired by the study of irreducible binary codes, due to
Delsarte and Gœthals [63], in which the computation of the sequence of
weight enumerators is obtained simply by multiplying (iteratively) the vector
of weights by a corresponding circulant matrix. The main result in [63] is
in the description of a class of irreducible binary codes in which only two
weights occur. This is generalized in [14] leading to the conjecture that any
two-weight cyclic code is irreducible. Little is known about irreducible cyclic
codes with three weights; see [15] and recent results in[95].
Many numerical results can be found in the papers previously quoted and
in [110].
Henceforth the “numerical” problem is to determine the weight enumera-
tor of one code for each sequence (45). From a theoretical point of view, the
study of any specific class is of great interest and one can say that few general
results have been obtained. The first reference is the work of Helleseth et
al. on an infinite class of irreducible cyclic codes with fixed block length [79].
As an example of an interesting construction, the connection with product
codes is explained in [70].

85
 The most recent result is due to Langevin and Zanotti who have
characterized a class of irreducible codes with balanced weight distribution –
i.e. such that there is the same number of codewords for any non zero weight
of the code. A description is given in [96] and [152]. Note that the number
of nonzero weights must divide p − 1, implying that there are no such binary
codes except the simplex code.
On the other hand consider the class of binary irreducible codes C (m) of
length n = 2m + 1 and dimension 2m. Clearly 2m + 1 = (22m − 1)/(2m − 1)
where m is the order of 2 modulo 2m − 1. Then C (m) is the second code of
(m)
the sequence of irreducible cyclic codes Ct with parameters [nt , mt] where
2mt − 1 (2m − 1)(2m(t−1) + · · · + 2m + 1)
nt = = = (2m(t−1) + · · · + 2m + 1) .
2m − 1 2m − 1
We give in Table 9 the weight enumerators of the codes C (m) for 5 ≤ m ≤ 10.
A relationship between the weight enumerators of the code C (m) and of
the Melas code of length 2m − 1 was established by Tiersma in [125]. On
the other hand, Lachaud and Wolfmann proved in [94] that the weights
of the non zero words of C (m) are all the even integers w such that
2m + 1 2m + 1
− 2m/2 ≤ w ≤ + 2m/2 .
2 2
This description was obtained by giving an explanation of the links between
the weights of Melas codes and some results on elliptic curves and Kloost-
erman sums over GF (2m ). The problem of the complete determination of
the weight enumerator of the Melas code remains open; any result on the
number of words of a given weight could apply to the problem of the values
of Kloosterman sums. The ternary Melas codes were studied in [147].
We conclude this section with an application of Theorem 3.20 to the
divisibility of irreducible cyclic codes. Note that although we treat codes
with the most simple set of non zeros, we can only improve the algorithm
for computing divisibility. It is generally difficult to determine divisibility
of a given infinite class of cyclic codes. One can see the next proposition
as an illustration of this general open problem: find a precise formula for
divisibility of some class of cyclic codes.
Proposition 3.35 Let C be an [n, m] irreducible cyclic code over GF (p)
with nµ = pm − 1. Set τj = lcm (wtp (jn), p − 1), 1 ≤ j ≤ µ. Define
τ
τ = min { τj | 1 ≤ j ≤ µ } and ` = −1 .
p−1

86
 n=9 w 2 4 6
m=3 aw 9 27 27
n= 17 w 6 8 10 12
m=4 aw 68 85 68 34
n=33 w 12 14 16 18 20 22
m=5 aw 165 165 165 330 165 33
n=65 w 26 28 30 32 34 36 38 40
m=6 aw 390 455 780 780 390 585 520 195
n=129 w 54 56 58 60 62 64 66 68 70 72 74
m=7 aw 903 903 1032 2709 903 1806 2709 903 1806 1806 903
n=257 w 114 116 118 120 122 124 126 128 130 132 134
m=8 aw 2056 4112 2056 4626 6168 4112 8224 4112 4112 5140 4122
w 136 138 140 142 144
aw 4112 4112 5140 2056 1285

n= 513 w 234 236 238 240 242 244 246 248 250
m=9 aw 1539 4617 9234 18468 9234 4617 13851 13851 13851
w 252 254 256 258 260 262 264 266 270
aw 18468 9747 9234 23085 13851 9234 23085 9234 10773
w 272 274 276 278
aw 23085 4617 9234 4617
n= 1025 w 482 484 486 488 490 492 494 496 498
m= 10 aw 12300 11275 30750 20500 30750 41000 41000 20500 41000
w 500 502 504 506 508 510 512 514 516
aw 61500 20500 46125 41000 20500 41000 61500 30750 41000
w 518 520 522 524 526 528 530 532 534
aw 51250 46125 51250 20500 20500 41000 51250 35875 20500
w 536 538 540 542 544
aw 20500 20500 30750 20500 5125

Table 9: Weight enumerators of the irreducible binary cyclic codes of length

n = 2m + 1 and dimension 2m, 4 ≤ m ≤ 10 (see §3.4.3); aw denotes the
number of codewords of weight w.

87
Then C is p` -divisible and not p`+1 -divisible.
Pm−1 i
Proof: Let P i=0 νi p be the p-ary expansion of n; recall that wtp (n) is the
integer sum m−1 i=0 νi , called the p-weight of n. Let U be the set of those
s ∈ [0, n − 1] which are not in the defining set of C. According to Definition
3.33, we assume that U = cl(−1), the p-cyclotomic coset of −1 modulo n.
In accordance with Theorem 3.20, we have to determine the smallest integer
rPdivisible by p − 1 such that r elements of U , say {u1 , . . . , ur }, satisfy
r
i=0 ui = 0Pmodulo n.
Set r = m−1 i=0 ri , meaning that the element −p occurs ri times – i.e. ri
i

elements of {u1 , . . . , ur } are equal

Pm−1to −p
i
. We know from Theorem 3.20 that
ri ≤ p − 1, for all i. Set Ir = i=0 ri p . Then we must have Ir ≡ 0 modulo
i

n.
Clearly Ir ≡ 0 is satisfied for any r such that Ir = jn, 1 ≤ j ≤ µ. In this
case r is exactly the p-weight of jn. We consider those r which are divisible
by p − 1 only. Then the smallest available r is equal to the smallest value of
lcm (wtp (nj), p − 1) and ` is determined.


3.5 Automorphism groups of cyclic codes

Chapter(Huffman) deals with the general problem of automorphism groups
of codes. We want to mention recent results on cyclic codes and briefly
discuss open problems only.
Huffman has recently studied the automorphism groups of the extended
generalized quadratic residue codes. He gave the full automorphism groups
as groups of semi-affine transformations [80]. On the other hand the permu-
tation groups of affine-invariant codes were characterized by Berger and
Charpin [18] [21]. Berger proved later that the automorphism group is
easily deduced [17]. All these results can be used now in other contexts, for
example, the determination of the automorphism group of codes constructed
from other codes such as repeated-root cyclic codes or concatenated codes.
Another application could be the study of non linear cyclic codes. We will
conclude this section with an example showing how to construct non linear
affine-invariant codes.
The general problem of determining the automorphism group of any cyclic
or extended cyclic code is a difficult problem. There is probably no general
answer and the best way seems to be the study of special classes. One

88
can mention first the irreducible cyclic codes (see a recent result on a special
subclass in [153]). More generally there are no results on non primitive codes.
However, the results of [21] suggest the conjecture that the permutation
group of any cyclic code will be generally small, i.e. the group G generated
by the shift and some Frobenius mapping depending on the alphabet field.
Indeed, even when the extended code is affine-invariant, it appears that many
cyclic codes have G as permutation group. According to [21, Theorem 6], one
can conjecture that, generally, cyclic codes of length pm − 1, m prime, over
GF (p), either have G as automorphism group or are equivalent to a p-ary
Reed-Muller code; on the other hand, interesting exceptions might appear.
More is known about equivalent cyclic codes. There is a general necessary
and sufficient condition under which two cyclic codes could be equivalent (see
Theorem 5.22 in Chapter 1). In particular when the length is a prime number,
two cyclic codes can be equivalent by a multiplier only. The inequivalence
of affine-invariant codes is now established; two affine-invariant codes cannot
be equivalent unless under the Frobenius mapping [17].

Example 3.36 It is very easy to construct non linear affine-invariant codes.

Our notation is that of Section 2.4; let the ambient space be A = k[{F, +}]
where k = GF (p). Consider a coset of P r , the rth power of the radical, of
the form
x + P r , x ∈ P r−1 \ P r . (46)
Let us define the (generally) non linear code
[
C= shj (x) + P r
0≤j≤n−1

where shj (x) is the j-shift of x. For clarity, we denote by α a primitive root
of F and consider the j-shift as multiplication by αj in F, the support field.
We are going to prove that C is invariant under the affine permutations σu,v .
Let z ∈ C, z = y + y0 , y0 ∈ P r and y = shj (x) for some j. Recall that,
according to (13),
X X X
σu,v (z) = zg X ug+v = yg X ug+v + yg0 X ug+v .
g∈F g∈F g∈F

We have σu,v (z) = σu,v (y) + σu,v (y0 ). As the code P r is affine-invariant,
σu,v (y0 ) ∈ P r . Moreover, by construction, σu,v (y) = σau,v (x) where a = αj ;

89
this shows that σu,0 (y) is a k-shift of x, with u = αi and k = i + j. So we
only have to prove that σ1,v (x) is in C. Observe that

σ1,v (x) = X v x = (X v − 1)x + x

where (X v −1)x ∈ P r since (X v −1) ∈ P and x ∈ P r−1 . Hence σ1,v (x) is in the
coset x + P r , completing the proof. Note that we mainly used the following
property: any coset of the form (46) is invariant under any translation. Recall
that P r is the p-ary Reed-Muller code of order m(p − 1) − r.

3.6 Are all cyclic codes asymptotically bad ?

Whether or not there exist good linear codes which are also cyclic remains
an open problem. The most recent result is due to Castagnoli et al. who
reduced the problem, by proving that repeated-root cyclic codes cannot be
asymptotically better than simple-root cyclic codes [46].
It has been known for a long time that BCH codes are asymptitocally
bad (see Chapter 1, Theorem 7.7). Furthermore Kasami proved that any
family of cyclic codes is bad if it has the property that the extended codes
are affine-invariant – the proof given in [86] for binary codes can be easily
generalized.
On the other hand, Berlekamp and Justesen have shown that certain
concatenated codes are cyclic [24] thus obtaining an improved class of long
binary cyclic codes. Many researchers consider that quadratic residues codes
could be asymptotically good. This open problem is connected with the
necessity of finding a good bound for the minimum distance of the QR codes.

4 Related problems.
In this section, we examine research problems in coding theory which are con-
nected with the study of cyclic codes. Actually it is a large topic in which we
have chosen three subjects, which seem currently of interest: cryptography,
alternant codes and non linear codes.
Concerning cryptography, we recall the involvement of Reed-Muller codes
in the description of some cryptographic primitives. More generally, the
primitive binary cyclic codes are then implicated, as we will show by giving
a specific example.

90
 The class of alternant codes is closely related with generalized Reed-
Solomon codes and contains BCH codes and Goppa codes. The class of
Goppa codes includes the narrow-sense BCH codes (see [111, chapter 12]).
The aim is to present basic elements about the links between Goppa codes
and BCH codes, introducing some open problems on Goppa codes. Note that
Goppa codes are proposed, as public-key, in the McEliece cryptosystem.
The last subject can be viewed as an example of the involvement of cyclic
codes, and of their cosets, in the construction of other interesting codes. We
treat the most famous non linear codes, the Preparata and Kerdock codes.
We give an original result, a new proof of the formal duality of these codes
based on the description of Backer and on recent results about cosets of
2-error-correcting BCH codes. The use of the operations in the field algebra
of primitive extended codes provides new properties and might suggest other
constructions.

4.1 Some problems in cryptography

The connections between coding theory and cryptography are discussed in
Chapter(Van-Tilborg), a large part of which is devoted to the use of error-
correcting codes in some cryptosystems. The most famous is the McEliece
public-key cryptosystem which uses binary Goppa codes. A priori cyclic
codes are not designed for such cryptosystems because they are considered
as easily recognizable codes. There are generally few cyclic codes for a
given length and these codes have a “rich” structure (note that the class
of repeated-root cyclic codes is not so simple). However one can mention
that to determine if a given code is cyclic or not remains a difficult problem.
Many problems in cryptography lead to general problems in coding the-
ory. For instance the generalized Hamming weight is mentioned in Chapter(Van-
Tilborg) (see in Chapter 1, Section 3: the weight hierarchy of a code). The
relation between minimal codewords and secret sharing is another example
[116][117].
Cyclic codes are related to the study and the construction of crypto-
graphic primitives, mainly through Reed-Muller codes because of the large
field of applications of boolean functions and sequences in cryptography.
There are a lot of recent papers about these applications; many are to be
found in the proceedings of the conferences EUROCRYPT and CRYPTO.
It is well-known that any property of RM codes is a property of boolean

91
functions. RM codes provide a natural way to quantify the degree, the non-
linearity, the correlation-immunity or the propagation criterion of a boolean
function (see for instance [36][37][42][43][117][128]). Note that maximum
nonlinearity coincides with the covering radius of the RM code of order one.
We have here a strong connection with famous open problems: the covering
radius is not known for the lengths 2m , m ≥ 7 and m odd; for m even, the
maximal cosets corresponding to the bent functions are not yet classified –
the most recent result is due to Carlet and Guillot [45].
In this context, it is clear that binary primitive cyclic codes could appear
in some specific application. We want to illustrate our purpose by such an
example which can be seen as an extension of Section 3.4.2, because cyclic
codes with two zeros are involved. We want to emphasize that in a very
recent application the “old” work of Kasami [87] is an important reference.

Two cryptanalysis methods have been introduced in the literature devoted

to DES-like cryptosystems, the differential cryptanalysis [27](1991) and the
linear cryptanalysis [118](1994). Chabaud and Vaudenay showed later
that these methods are basically linked; they deduce the definition of those
classes of functions which are optimally resistant to both attacks [48]. The
functions that oppose an optimum resistance to differential attacks are said
to be almost perfect nonlinear (APN) functions. On the other hand the
functions that oppose an optimum resistance to linear attacks are said to be
almost bent (AB) functions. Any AB function is APN. We will describe such
functions from a coding point of view.
Recall that n = 2m − 1, F is the field of order 2m , k is the field of order
2 and α is a primitive nth root of unity. From now on, m is odd and we
consider a function F from F to F as a polynomial on F such that F (0) = 0.

Definition 4.1 The function F is said to be APN if and only if all the
equations

F (x) + F (x + γ) = β , γ ∈ F , γ 6= 0 , β ∈ F , (47)

have at most two solutions (that is one solution modulo γ). The function F
is said to be AB if and only if the value of
X
µF (γ, β) = (−1)β·F (x)+γ·x (48)
x∈F

92
 m+1
is equal either to 0 or to ±2 2 , for any γ and β in F, β 6= 0. Note that
x · y is the dot product with respect to any chosen basis of the vector-space
{F, +}.

Theorem 4.2 Let F be a function on F such that F (0) = 0. Let us denote

by CF the linear binary code of length n defined by its parity check matrix
 
1 α α2 ... αn−1
HF =
F (1) F (α) F (α2 ) . . . F (αn−1 )

where each entry is viewed as a vector of km . The dual code is denoted by

(CF )⊥ .
Then we have:

(i) the function F is APN if and only if the code CF has minimum distance
five,

(ii) the function F is AB if and only if the weights of the non zero codewords
of the code (CF )⊥ form the following set

W = { 2m−1 , 2m−1 ± 2(m−1)/2 } .

Proof: Let u = (u0 , . . . , un−1 ) be a codeword – i.e. a vector of kn . By

definition u ∈ CF if and only if it satisfies

X
n−1 X
n−1
ui α i = 0 and ui F (αi ) = 0 . (49)
i=0 i=0

It is clear that the minimum weight of CF is at least 3 because we cannot

have αi = αj for i 6= j. The equation (47) can be rewritten as follows:

x + y = γ and F (x) + F (y) = β , (50)

for any γ 6= 0 and β. Suppose that there exist two distinct pairs (x, y) and
(x0 , y 0 ) which satisfy (50). Of course “distinct” means that we have here four
distinct elements of F. The existence of four such elements, for some γ and
β, is equivalent to the existence of four elements satisfying

x + y + x0 + y 0 = 0 and F (x) + F (y) + F (x0 ) + F (y 0 ) = 0 .

93
In accordance with (49), it is equivalent to say that the code CF has at least
one codeword of weight three or four – the weight can be three if 0 is in the
set {x, y, x0 , y 0 }. Note that the minimum distance cannot be more than 5,
by using the argument of the proof of Theorem 3.25 (i): the non-existence
of a [2m − 1, k, 6] linear code such that k ≥ 2m − 1 − 2m. So we have proved
(i).
Now set f (x) = β · F (x) + γ · x. Considering elements of F as vectors
of km , the function f is actually a linear combination of some rows of HF .
Hence the numbers

λβ,γ = card { αi | f (αi ) = 1 }

are the weights of the code (CF )⊥ . But µF (γ, β) = 0 means λβ,γ = 2m−1 and
m+1
µF (γ, β) = ±2 2 means
m+1 m−1
2λβ,γ = 2m ± 2 2 — i.e. λβ,γ = 2m−1 ± 2 2 .

According to the definition of the property AB (see (48)), we have proved

(ii). Note that in (48) the values of µF (γ, 0) are not considered. For our point
of view they correspond to the codewords of (CF )⊥ which are generated by
the first m rows of HF , that is the codewords of the simplex code which have
weight 2m−1 .

Our notation is that of Theorem 4.2.
Corollary 4.3 If the function F is AB, then the dimension of the code
(CF )⊥ equals 2m – i.e. the code CF has dimension 2m − 2m − 1.

Proof: By definition, the dimension of (CF )⊥ is at most 2m. Suppose that

it is stricly less than 2m. This means that there is at least one β 6= 0 and
one γ such that β · F (x) + γ · x = 0 for any x ∈ F. So µF (γ, β) equals 2m , a
contradiction.


Corollary 4.4 Assume that the function F is defined as follows

F (x) = xr , card { r, 2r, . . . , 2m−1 r mod n } = m .

Denote by Cr the binary cyclic code of length n whose zeros are α, αr and
their conjugates.

94
 Then F is APN if and only if Cr has minimum distance five. The func-
tion F is AB if and only if (Cr )⊥ has only three nonzero weights, 2m−1 and
2m−1 ± 2(m−1)/2 . In this case the weight enumerator of (Cr )⊥ is exactly the
weight enumerator of the dual of the 2-error-correcting BCH code — given
in Theorem 3.32.

Proof: By definition HF is exactly the parity-check matrix of the binary

cyclic code Cr . Note that the 2-cyclotomic coset of r is assumed to have car-
dinality m because, according to Corollary 4.3, this is a necessary condition
if we want to construct AB functions.

It is easy to see that the code CF always contains a subcode which is
a cyclic code. This is the code whose zeros are {α, αi1 , . . . , αi` } when the
polynomial form of F (x) is

X̀
F (x) = λj xij , λj ∈ F \ {0} .
j=1

More generally, the connections between APN/AB functions, bent functions

and codes were recently studied in [44].
Differential and linear attacks are now “classical”, providing theoretical
criterions for the security of DES-like ciphers. For instance, to replace the S-
boxes used in DES with another function which resists both differential and
linear cryptanalysis is a problem which is currently under discussion. This
gives renewed interest to the properties of functions x 7−→ xk on F – i.e. of
cyclic codes with two zeros. Therefore, there is much current work related
to these properties which will certainly lead to new results. The paper of
Dobbertin [66] is such an example in which it is proved that the function
x 7−→ xk , for k = 2t + 3, is APN. Then the author has partially proved the
Welsh conjecture (see comments in Section 3.4.2).
For applications in cryptography the functions which are one-to-one are
of most interest. So APN permutations, even when they are not AB, are
interesting. It seems that the main problem is to find codes CF with “few”
codewords of weight 4. This is connected with the problem of the weight
enumerators of cosets of the codes CF , in particular when CF is a primitive
cyclic code with two zeros. Note that the covering radius of codes like CF is
generally not known.

95
4.2 Cyclic codes and Goppa codes
The aim of this section is to give a basic account about the connections
between Goppa codes and cyclic codes.
Goppa codes, which are often said to be close to random codes, can be
viewed in the ambient space of primitive cyclic (or extended cyclic) codes.
To study some properties of cyclic codes through Goppa codes is, in a certain
sense, an overview. For instance, codewords of Goppa codes can be defined
in several ways including MS-polynomials and locator polynomials – tools
which were developed in the previous sections for cyclic codes.
On the other hand there is a famous open problem which is to recover
the original structure of any Goppa code when only a permuted generator
matrix is given. This is a possible way for breaking the McEliece public-
key cryptosystem [107] but could be used in some other applications. Here
knowledge of properties of cyclic codes, or of tools designed to the study of
cyclic codes, might be useful.
The automorphism groups of Goppa codes are not known. It is conjec-
tured that the group of such a code is generally trivial; furthermore one can
say that there are few Goppa codes, extended or not, which are cyclic. As is
explained in Chapter(Assmus-Key) a code can be cyclic in many ways. One
must specify explicitly the cyclic structure we are referring to before compar-
ing a given code to a cyclic code. That is particularly true for Goppa codes.
It is easy to treat the cyclicity when the support is fixed, meaning that we
consider the code in the ambient space k[{G∗ , ×}], denoted by M in Section
2.2; the “shift” is precisely the multiplication of the cyclic group G∗ . Other-
wise the problem becomes the general problem of finding the automorphism
group of Goppa codes.
We first recall that, with the above restricted point of view, it is easy
to show that cyclic Goppa codes are BCH codes. We next point out that,
however, there is a large class of quasi-cyclic Goppa codes. To conclude we
explain the link between the class of Goppa codes and the minimum weight
codewords of BCH codes by giving some applications of Corollary 3.13 (in
the binary case).
We consider here classical Goppa codes in the sense of [74] (see also [111,
Chapter 12] or [139, Chapter 8]). As previously the finite field of order q,
q = pr and p a prime, is denoted by k; k is the alphabet field. The support
field is denoted by F; it is an extension field of k of order pm , r dividing

96
 0
m – or q m , m0 = m/r. Considering Goppa codes, the field F is called the
full support field, because for such a code the support can be, with some
restrictions, any subset of F.

Definition 4.5 Let g(z) be a monic polynomial of degree t over F. Let n ≥ 2

and L = {α1 , . . . , αn } be a set of n distinct elements of F. Moreover g(z)
and L are such that
g(αi ) 6= 0 , 1 ≤ i ≤ n .
The Goppa code Γ(L, g), of length n over k, is the set of codewords c, i.e.
vectors (c1 , . . . , cn ) in kn , satisfying

X
n
ci
Rc (z) = ≡ 0 (mod g(z)) .
i=1
z − αi

Before studying some properties of cyclicity, we want to recall that the di-
mension and the minimum distance of Goppa codes are not known. In both
cases, only a bound is known which is generally considered as a good bound;
note that the bound on the dimension is reached for an infinite class of Goppa
codes of small dimension [138]. These bounds can be easily obtained from a
parity check matrix of the code (as H in the proof of Proposition 4.7).

Proposition 4.6 Let Γ(L, g) be a Goppa code defined by Definition 4.5; let
t be the degree of g(z). Then the dimension k and the minimum distance d
of Γ(L, g) satisfy:
k ≥ n − m0 t and d ≥ t + 1 .

Proposition 4.7 If g(z) = z t the Goppa code Γ(L, g) can be identified to

a subcode of the narrow-sense BCH code of designed distance t and length
0
q m − 1 over k.

Proof: The following matrix, where each entry is a column vector of length
m0 from k, is a parity check matrix of the code Γ(L, g).
 
g(α1 )−1 . . . g(αn )−1
 α1 g(α1 )−1 . . . αn g(αn )−1 
H=  ...


... ...
(α1 )t−1 g(α1 )−1 . . . (αn )t−1 g(αn )−1

97
Assume that g(z) = z t . For clarity, let αi−1 = βi , for all i. By replacing in
H, we obtain
 −t   t 
α1 ... αn−t β1 ... βnt
 α−(t−1) ... αn
−(t−1)   (t−1) (t−1) 
H= 1  =  β1 ... βn 
 ... ... ...   ... ... ... 
α1−1 ... αn−1
β1 ... βn

We recognize that H consists of some columns of the parity check matrix

of the narrow sense BCH code of designed distance t on k (see Chapter 1,
Section 5). So Γ(L, g) is the subcode of this code containing all codewords
whose support is contained in L.

0
Now we consider Goppa codes of length n, where n divides q m − 1. The
next theorem is based on a strong restriction: Goppa codes are viewed in the
ambient space of cyclic codes of length n over k and “cyclic” means that the
code is invariant under the shift on the support L. One can then prove that
any Goppa code which is cyclic, in the sense above, is a BCH code.

Lemma 4.8 Suppose that L = { 1, β, . . . , β n−1 } where β is a primitive

nth root of unity in F. Then the code Γ(L, g) consists of the codewords c
whose MS polynomial satisfies:

z n−1 Mc (z) (mod z n − 1) ≡ 0 (mod g(z)) .

P
Moreover if c satisfies ni=1 ci = 0 then zg(z) divides Mc (z).

Proof: We simply generalize the proof of van Lint [139, p.113]. We denote
by Q(z) the polynomial z n−1 Mc (z). Let c = (c1 , . . . , cn ) be a codeword of
length n on k. Consider the polynomial of F[z]:

z n − 1 X Mc (β ` ) 1X Y
n−1 n−1
P (z) = = M c (β `
) (z − β i ) .
n `=0
z − β ` n `=0 i, i6=`

Note that (n, p) = 1, gcd(z n − 1, g(z)) = 1 and P (z) has degree less than or
equal to n − 1. By differentiating z n − 1, it is easy to check that
Y
(β ` − β i ) = nβ −` .
i, i6=`

98
Thus we have for any j, 0 ≤ j ≤ n − 1:
Mc (β j ) Y j
P (β j ) = (β − β i ) = Mc (β j ) β −j .
n i, i6=j

Since P (z) takes the same values as Q(z) on the group of nth roots of unity,
then Q(z) = P (z). Furthermore we obtain

z n − 1 X n ci
n−1
P (z) = = (z n − 1) Rc (z)
n i=0
z − β i

because Mc (β i ) = nci by applying the inverse formula (4) (see Section 2.2).
According to Definition 4.5, one deduces that c is in Γ(L, g) if and only if
g(z) divides Q(z), proving the first part of the theorem. Now, by definition
of Mc (z), we have
X
n−1
Q(z) = z n−1
Mc (z) = ρn−s (c) z s−1 (mod z n − 1) ,
s=0
Pn s(i−1)
where ρs (c) = i=1 ci β (see (3)
P and (1)). This shows that zQ(z) is
divisible by z if and only if ρn (c) = ni=1 ci = 0. When this property holds,
we can conclude that Mc (z)/z is a multiple of g(z), completing the proof.


Theorem 4.9 Assume that L = { 1, β, . . . , β n−1 }, a cyclic subgroup of

F where β is a primitive nth root of unity. If the code Γ(L, g) is “cyclic”,
i.e. is invariant under the permutation β i 7−→ β i+1 on L, then g(z) = z t , for
some t. So Γ(L, g) is a BCH code of length n and designed distance t over
k.

Proof: Suppose that Γ(L, g) is cyclic. By definition of cyclic codes we can

choose c ∈ Γ(L, g) such that ρn (c) = 0. Moreover, according to Lemma 4.8,
zg(z) divides Mc (z).
Suppose that g(γ) = 0 for some γ, γ 6= 0, belonging to some extension
field of k. Thus Mc (γ) = 0. But the polynomials Mc (β −i z), 0 ≤ i ≤ n−1, are
the MS polynomials of the shifts, say shi (c), of the codeword c (see Theorem
2.3). Since shi (c) is in Γ(L, g) we have for all i:

Mc (β −i γ) = Mshi (c) (γ) = 0

99
which contradicts the fact that Mc (z) is a polynomial of degree strictly less
than n. Hence g(z) has no roots γ, unless γ = 0, meaning that g(z) = z t for
some t. From Proposition 4.7, Γ(L, g) is a BCH code, completing the proof.

On the other hand, there is a large class of quasi-cyclic Goppa codes,
i.e. Goppa codes Γ(L, g) which are invariant under mutiplication by some
element of F. The class that we define below is not the more general one; we
simply indicate the way of constructing such Goppa codes.
Proposition 4.10 Recall that α denotes any primitive root of F. Suppose
0
that n divides q m − 1 and denote by β a primitive nth root of unity in F.
0
Let us define the Goppa code Γ(L, g) such that L = { αi | 0 ≤ i ≤ q m − 2 }
and g(z) is a monic polynomial satisfying
g(βz) = g(z) , for any z .
Then Γ(L, g) is invariant under multiplication by β over L: Γ(L, g) is quasi-
cyclic.
0
Proof: Set N = q m −1. From Lemma 4.8, Γ(L, g) consists of those codewords
c of kN whose MS polynomial satisfies
z N −1 Mc (z) (mod z N − 1) ≡ 0 (mod g(z)) .
From Theorem 2.3, Mc (z/β) is the MS polynomial of the ν-shift of c where
ν = N/n and β = αν . On the other hand, g(βz) = g(z) means that the set of
roots of g(z) is invariant under the multiplication by β. Hence g(z) divides
(z/β)N −1 Mc (z/β), implying that g(z) divides
z N −1 Mc (z/β) = z N −1 Mshν (c) (z) .
So we conclude that the ν-shift of c is in Γ(L, g); in other words, Γ(L, g) is
quasi-cyclic.

Example 4.11 Our notation is as in Proposition 4.10. Let F0 be an exten-
sion field of F. Take
g(z) = z n − γ , γ ∈ F0 \ F .
Obviously g(βz) = β n z n − γ = g(z). So Γ(L, g) is a quasi-cyclic code of
0
length N = q m − 1 and dimension k, k ≥ N − m0 n.

100
 From now on we will consider binary Goppa codes, i.e k = GF (2) and
F = GF (2m ). Let Γ(L, g) be a binary Goppa code of length n over k. Any
codeword c can be identified to its locator set { αi ∈ L | ci 6= 0 }. Assume
that c has weight w, with ci1 = · · · = ciw = 1 and define

Y
w
fc (z) = (z − αij ) . (51)
j=1

By differentiating, we obtain
X
w Y
w
fc0 (z) = (z − αij ) .
`=1
j=1
j 6= `

This leads obviously to the following equality:

X
n
ci f 0 (z)
Rc (z) = = c . (52)
i=1
z − αi fc (z)

We conclude with the notation above:

Proposition 4.12 Denote by gb(z) the lowest degree perfect square polyno-
mial which is divisible by g(z); let t be the degree of g(z) and t0 be the degree
of gb(z).
Then the codeword c is in Γ(L, g) if and only if gb(z) divides fc0 (z) and the
minimum distance d of Γ(L, g) is at least t0 + 1. Moreover if the roots of g(z)
have multiplicity one then g(z)2 divides fc0 (z) and d ≥ 2t + 1.

Proof: According to Definition 4.5, c is in Γ(L, g) if and only if Rc (z) ≡ 0

modulo g(z). Since the roots of fc (z) are of multiplicity one, fc (z) and
fc0 (z) have no common factors. Moreover, by definition, g(z) and fc (z) are
relatively prime. So (52) means that g(z) divides Rc (z) if and only if it
divides fc0 (z).
As the characteristic is 2, fc0 (z) is a perfect square. Hence g(z) divides
fc0 (z) if and only if gb(z) divides fc0 (z). This provides a lower bound on the
minimum distance of Γ(L, g): since the degree of fc (z) is at least t0 + 1 then
d ≥ t0 + 1. When all roots of g(z) have multiplicity one, g(z)2 divides fc0 (z),

101
proving that the weight of c is at least 2t + 1.

Denote by B(δ) the binary BCH code of length n and designed distance
δ. We know the form of the locator polynomials of the codewords of B(δ)
(see Corollary 3.13). So the preceding proposition leads us to this natural
question: what is the intersection between B(δ) and Γ(L, g), when δ is exactly
the lower bound t0 + 1 ? The general problem is difficult; however, it is often
easy to characterize codewords belonging to this intersection. We conclude
this section by giving some results on such codewords of weight δ.

Proposition 4.13 Recall that F = GF (2m ). Let g(z) be any polynomial of

degree t on F[z] whose roots have multiplicity one. Set
X
t
g(z) = λi z i , λ t = 1 .
i=0

Consider the binary Goppa codes Γ(L, g) such that

L = F \ { γ ∈ F | g(γ) = 0 } .

The code B(δ), δ = 2t + 1, is the narrow-sense binary BCH code of length

2m − 1 and designed distance δ.
Suppose that there is a codeword x of weight δ in B(δ) ∩ Γ(L, g). Then
the locator polynomial of x, say σx (z), is of the form:

X
t−1
δ −1
σx (z) = z fx (z ) with fx (z) = ξ + λi z 2i+1 + z δ , (53)
i=0

where ξ is some element of F.

Conversely, if there exists a polynomial of the form (53) which splits in
F and whose roots have multiplicity one, then it defines a codeword of weight
δ contained in B(δ) ∩ Γ(L, g) – proving that the minimum distance of both
codes is exactly δ.

Proof: Suppose that there is a codeword x of weight δ in B(δ) ∩ Γ(L, g).

Since x ∈ B(δ), the form of σx (z) is known from Corollary 3.13:
X
t
σx (z) = 1 + σ2r z 2r + σδ z δ . (54)
r=1

102
Let { αj | 1 ≤ j ≤ δ } be the set of locators of x. We have, by definition,
Y
δ Y
δ
σx (z) = (1 − αj z) = z δ (z −1 − αj ) = z δ fx (z −1 )
j=1 j=1

(see (51)). Therefore

X
t X
t−1
δ −1 δ δ−2r δ
fx (z) = z σx (z ) = z + σ2r z + σδ = z + σ2(t−i) z 2i+1 + σδ ,
r=1 i=0

where i = t − r, with δ = 2t + 1. As x ∈ Γ(L, g), g(z)2 divides fx0 (z) from

Proposition 4.12. But these polynomials have the same degree. So we have
X
t−1
fx0 (z) 2t
=z + σ2(t−i) z 2i = g(z)2 ,
i=0

implying σ2(i−t) = λi , completing the proof of (53).

Conversely if fx (z) is given by (53), for some x, then g(z) divides fx0 (z) by
definition. Moreover fx0 (z) and fx (z) cannot have common factors implying
that the locators of x are in L. Hence x is in Γ(L, g) and its locator polyno-
mial, σx (z), has the form (54), completing the proof.

A consequence of these last propositions is that we can easily characterize
the binary Goppa codes containing a given codeword. Therefore, if we know
precisely a minimum weight codeword of some BCH code, say B(δ), then we
can construct the unique Goppa code of minimum distance δ containing this
codeword. We illustrate these properties by the next example.
Example 4.14 For clarity we treat codewords which are idempotents. We
consider binary codes of length 28 , i.e. m = 8 and F = GF (256); Γ(L, g) is
a binary Goppa code with L = F.
Consider a product of two minimal polynomials of degree 8:



h(z) = z 8 + z 5 + z 4 + z 3 + z 2 + z + 1 z 8 + z 7 + z 5 + z 4 + 1
= 1 + z + z 2 + z 3 + z 5 + z 7 + z 8 + z 10 + z 12 + z 15 + z 16 .
Denote by x the codeword, of weight 16, whose locators are the roots of h(z);
so fx (z) = h(z), where fx is defined by (51). Now we compute the binary
factors of fx0 (z):

2
fx0 (z) = 1 + z 2 + z 4 + z 6 + z 14 = z 7 + z 3 + z 2 + z + 1 .

103
Let g(z) = z 7 +z 3 +z 2 +z +1. Since g(z) is the only proper factor of fx0 (z), we
can conclude that the code Γ(L, g) is the only binary Goppa code of length
256 containing x. Note that the minimum distance of this code is at least
15.
On the other hand, take


fx (z) = z 8 + z 7 + z 6 + z 5 + z 4 + z 3 + 1 (z + 1) = z 9 + z 3 + z + 1

giving
2
fx0 (z) = z 8 + z 2 + 1 = z 4 + z + 1 .
According to (53) and (54), x is a codeword of weight 9 in the BCH code of
length 255 and designed distance 9. The polynomial z 4 + z + 1 is the minimal
polynomial of an element γ of GF (28 ), but it cannot have a common root
with fx (z). So x is a codeword of Γ(L, g), where

g(z) = z 4 + z + 1 and L = F \ {γ, γ 2 , γ 4 , γ 8 } .

Implicitly, we have proved that the minimum distance of B(9) (and of Γ(L, g))
is exactly 9.

Comments on Section 4.2 An extensive study of the cyclicity of ex-

tended Goppa codes was made by Stichtenoth in [134]; at the end of the
paper the author noted that the problem of the characterization of classi-
cal Goppa codes (extended or not) which are cyclic remains open. Recently
Berger obtained new results by classifying among alternant codes those for
which the cyclicity is inherited from automorphism groups of generalized RS
codes [19].
Several papers appeared recently characterizing or studying special classes
of Goppa codes: quasi-cyclic Goppa codes [30], 2-divisible Goppa codes [145]
or Goppa codes defined by particular polynomials [28]. They can be seen in
a general context; their aim is to obtain precise results about the structure
of Goppa codes.

4.3 On the weight enumerator of Preparata codes

In this section we present a new form for the weight enumerator of Preparata
codes and a new proof of the formal duality between Kerdock and Preparata
codes (see Theorem 4.20 later). Recall that the weight distribution of Preparata

104
codes was first obtained by Semakov and Zinoviev [129]; the “formal du-
ality” is due to Zaitsev et al. [151, 1972].
However our aim is to give an example of the construction of good non
linear codes based on properties of some cyclic codes. We want to explain
Preparata codes by means of tools developed for primitive cyclic codes. The
cyclic codes in question have an affine-invariant extension and the material
from Section 2 can be used to provide more properties of the most famous
non linear codes.
By construction the Preparata codes are connected to the cosets of some
binary cyclic codes. They are the codes of length 2m −1, m odd, with defining
set
cl(1) ∪ cl(2i + 1) , gcd(i, m) = 1 ,
where cl(s) is the 2-cyclotomic coset modulo 2m −1 containing s. These codes
were previously denoted by C1,2i +1 . For simplicity, we denote C1,2i +1 by Bi .
The codes Bi have minimum distance 5 and the same weight enumerator as
that of the double-error-correcting BCH code (the code B1 ) as explained in
Section 3.4.2; this was first proved by Kasami [87][88].
We consider here the extended codes, denoted by B bi . These codes are
affine-invariant with parameters [2 , 2 − 2m − 1, 6]. Indeed such a code has
m m

defining set
Ti = {0} ∪ cl(1) ∪ cl(2i + 1) , gcd(i, m) = 1 ,
which obviously is the defining set of an affine-invariant code (see Theorem
2.14). As Bi has minimum distance 5, its extension has minimum distance
6. The weight enumerator of any code B bi⊥ is easily deduced from those of
Bi⊥ – which is the one of B1⊥ and was given in Theorem 3.30 – (see a precise
explanation in [55]). That is:
Weights of Bi⊥ Number of words

0 1
2m−1
− 2(m−1)/2 (2 − 1)2m−1
m
(55)
2m−1 22m + 2m − 2
2m−1 + 2(m−1)/2 (2m − 1)2m−1
2m 1

The codes Bbi have the same weight distribution of cosets independent of
i. Actually the codes Bi are known to be uniformly packed and completely

105
regular, with the same distance matrix. This comes mainly from the fact that
for such a code the external distance is equal to the covering radius. These
results are to be found in [13] and [130], where uniformly packed codes were
introduced; see also [72] for an extensive study. The next theorem is easily
deduced; for clarity we outline the proof.
bi of length 2m , m odd,
Theorem 4.15 The binary extended cyclic codes B
with defining set

Ti = {0} ∪ cl(1) ∪ cl(2i + 1) , gcd(i, m) = 1 ,

where 0 < i ≤ (m − 1)/2, are affine-invariant [2m , 2m − 2m − 1, 6] codes.

They are completely regular. They have the same cosets weight distribution.
The covering radius and the external distance are equal to four. The distance
matrix is
weights 0 1 2 3 4
coset 0 1 0 0 0 0
coset 1 0 1 0 0 0
coset 2 0 0 1 0 ν1
coset 3 0 0 0 µ 0
coset 4 0 0 0 0 ν2
where µ = (2m−1 − 1)/3 , ν1 = (2m−2 − 2)µ and ν2 = 2m−2 µ; “coset i”
means “coset of minimum weight i”. The weight enumerators of the cosets
bi are not equivalent.
are given in Table 10. Furthermore the codes B

Proof: Recall that the external distance r of a linear code is the number of
the non zero weights of its dual. The distance matrix has r + 1 columns and
t rows, where t is the number of distinct weight distributions of the cosets of
the code. The (j + 1)-st column contains the number of codewords of weight
j for any weight distribution. Knowledge of this matrix is sufficient for the
determination of the complete weight distribution of cosets (see Theorem
10.10 of Chapter 1).
b1 was given in [55].
A new formulation of the cosets weight distribution of B
The distance matrix and the weight enumerators of cosets were obtained by
using some properties which hold for any i. We point out that these results
can be generalized: the coset weight distribution of any Bbi is the same as the
b
one of B1 given in [55]. We give a sketch of its proof.

106
 bi is four. Then
• According to (55), the external distance of any code B
the covering radius ρ of the codes Bi satisfies ρ ≤ 4. Actually it is
bi is contained in the Reed-Muller (RM) code of
exactly four since B
order m − 2 whose minimum distance is four.

• There are at most four distinct weight distributions. Indeed all cosets
of weight one, and all cosets of weight two, have the same weight dis-
tribution since the codes Bbi are affine-invariant – i.e. invariant under
a doubly-transitive group. On the other hand, the weight distributions
of cosets of weight 3 and 4 are unique; this is a general result proved in
[1], Corollary 1 and 2. Then the codes B bi are completely regular since
the weight distribution of each coset only depends on the minimum
weight of the coset.

• One computes the weight distributions of cosets, and the coefficients of

the distance matrix, by considering the linear codes of the form
 
C = x+B bi ∪ B bi , x 6∈ Bbi ,

where the weight of x satisfies 1 ≤ wt(x) ≤ 4 and is equal to the

weight of C. As C ⊥ is contained in B bi⊥ , C ⊥ has at most four nonzero
weights; the code C ⊥ has at most three weights when x is an odd weight
codeword because in this case it cannot contain the all one vector. So,
in any case, we can apply Theorem 3.29 to the weight distribution of
C: we know the number of codewords of weight w, 0 ≤ w ≤ s − 1 and
only s coefficients of the weight enumerator of C ⊥ are unknown (s = 3
or 4).

• Finally the weight enumerator of any code of type C is uniquely ob-

tained from the weight enumerator of B bi which does not depend on i.
The distance matrix of all these codes is unique.

Berger has recently proved that two binary affine-invariant codes cannot
bi are not equivalent.
be equivalent [17]. So the codes B


The automorphism group of the generalized Preparata codes was found by

Kantor [83]. In his paper, Kantor proved also the inequivalence of these
codes by using a relatively simple description, due to Baker and Wilson.

107
We recall the definition of the classical extended Preparata codes, due to
Baker and Wilson (see also [12]). Note that it was proved by Gœthals
et al. that all these codes have the same weight enumerator [71].
For the remainder of the section, let F be the field of order 2m with m
odd, k the field of order 2, and A = k[F].
Definition 4.16 Let i be is an integer such that gcd(i, m) = 1. The extended
Preparata code P (i) is a non linear binary code of length 2m+1 . By identifying
any binary codeword with its support, P (i) consists of the codewords described
by all pairs
(X, Y ) , X ⊂ F and Y ⊂F,
satisfying
(i) | X | and | Y | are even ,
X X
(ii) x= y , and
x∈X y∈Y
X i
X i
X i
(iii) x2 +1 + y 2 +1 = ( x)2 +1 .
x∈X y∈Y x∈X

A codeword ( x, y) of A × A is a pair
!
X X
x= Xg, y = Xg
g∈X g∈Y

where ( X, Y ) is a pair of subsets of F, the supports of x and y. We are

going to present the previous definition in the ambient space A × A . For
clarity we first recall some definitions given in Section 2.2 about codes of A.
We consider binary primitive codes. The coefficients of the MS polyno-
mial of x ∈ A are the values of the k-linear maps defined for any s ∈ [1, 2m −1]
as X
φs : x ∈ A 7−→ xg g s ∈ F .
g∈F
P
By convention, we have in addition: φ0 (x) = xg (see (8)). The 2-
Pm−1 g∈F P
weight of s is denoted by wt2 (s); it is the sum i=0 si , where s = m−1 i
i=0 si 2 ,
si ∈ {0, 1}. The Reed-Muller code of order m − j is the following subspace
of A:
R2 (m − j, m) = { x ∈ A | wt2 (s) < j ⇒ φs (x) = 0 } . (56)

108
The extension of the 2-error-correcting BCH code is the following subspace
of A:
Bb1 = { x ∈ A | φ0 (x) = φ1 (x) = φ3 (x) = 0 } . (57)
Recall that the RM codes and the extended BCH codes are ideals of A. The
code R2 (m − 1, m), which is the radical P of A, is the set of codewords of
even weight. The code R2 (m − j, m) is the j-th power P j of the radical of
A (see Section 2.4).
b1 will be denoted
Notation: In the sequel, and for simplicity, the code B
b
by B and the Preparata code P (1) by P . The code R2 (m − j, m) will be
denoted by P j .

Lemma 4.17 The Preparata code P consists of all pairs of codewords

( x, y) , x ∈ A , y ∈ A ,

satisfying
(a) φ0 (x) = φ0 (y) = 0 ,

(b) φ1 (x) = φ1 (y) , and

(c) φ3 (x) + φ3 (y) = (φ1 (x))3 .

Moreover (a) means that x and y are in P.
Suppose that (a) is satisfied. Then (b) means that x + y is in P 2 ; (b)
b whose syndrome is
and (c) means that x + y is in the coset z + B

(φ0 (z) = 0 , φ1 (z) = 0 , φ3 (z) = (φ1 (x))3 ) . (58)

Proof: We simply rewrite the conditions of Definition 4.16 by means of the

functions φs and with i = 1. By definition
X
xj = φj (x).
x∈X

Condition (i) in Definition 4.16 means that x and y are even weight code-
words, i.e. both are codewords of P. Condition (ii) means that φ1 (x) equals
φ1 (y). Since φ1 is linear, this is equivalent to φ1 (x + y) = 0. Therefore, if (a)
is satisfied, (b) means that x + y ∈ P 2 ; in other words x and y are in the
same coset of P 2 .

109
 In the same manner condition (c) is condition (iii) rewritten with φ1 and
φ3 . Assume that x and y satisfy (a), (b) and (c). Set z = x + y and note
that φ3 (x) + φ3 (y) = φ3 (z). Then it is clear that the syndrome of z, with
respect to B,b is given by (58); any codeword of the coset z + B b has such a
syndrome.
Conversely assume that x and y satisfy (a) and that x + y is in the coset
z+B b whose syndrome is given by (58). As φ1 and φ3 are linear, (b) and (c)
are satisfied.

Our purpose is to prove Theorem 4.20. We begin by recalling the weight
distribution of the cosets of the extended 2-error-correcting BCH codes. The-
orem 4.18 and results presented in Table 10 were given in [55].

Theorem 4.18 The extended 2-error-correcting BCH code of length 2m − 1,

m odd, is denoted by B. b Denote by W(i) (X, Y ) the weight enumerator of the
b of weight i.
coset of B
b W(i) (X, Y )
There are five distinct weight enumerators for the cosets of B:
b itself.
for 0 ≤ i ≤ 4, where W(0) (X, Y ) is the weight enumerator of the code B
2m+1
The total number of cosets is 2 . The number of cosets of each weight is
as follows:
weight number
1 2m
2 2m−1 (2m − 1)
3 2m (2m − 1)
4 (2m−1 + 1)(2m − 1)
Among the cosets of minimum weight four, 2m −1 are in P 2 and 2m−1 (2m −
1) are in P\ P 2 . The polynomials W(i) (X, Y ), 1 ≤ i ≤ 4, are given in
Table 10. In this table the three weights of the dual of Bb different from 2m
2m −t
t
are denoted by γi and we write Z instead of (X + Y ) (X − Y )t .
b of weight four and contained in
The following property on the cosets of B
P \P is surprising. As we will see in the proof of Lemma 4.22, it implies that
2

the minimum distance of the code P is six. It can be obviously generalized

to any code Bbi .

Proposition 4.19 Let D be a coset of Bb contained in P \ P 2 . Let x ∈ D.

Then the weight of D is four if and only if there is an h ∈ F such that
φ3 (X h x) = 0.

110


Z 0 + 2(m−1)/2 (2m − 1)Z γ1 − 2(m−1)/2 (2m − 1)Z γ3 − Z 2
1 m
W(1) (X, Y ) = 22m+1


Z 0 + 2m−1 Z γ1 − (2m + 2)Z γ2 + 2m−1 Z γ3 + Z 2
1 m
W(2) (X, Y ) = 22m+1


Z 0 − 2(m−1)/2 Z γ1 + 2(m−1)/2 Z γ3 − Z 2
1 m
W(3) (X, Y ) = 22m+1


Z 0 − 2m−1 Z γ1 + (2m − 2)Z γ2 − 2m−1 Z γ3 + Z 2
1 m
W(4) (X, Y ) = 22m+1

with notation:
m −t
Z t = (X + Y )2 (X − Y )t

γ1 = 2m−1 − 2(m−1)/2 , γ2 = 2m−1 , γ3 = 2m−1 + 2(m−1)/2

Table 10: b see Theorem 4.8.

Weight distribution of cosets of the code B;

111
Proof: Recall that
!
X X
h h g
X x=X xg X = xg X g+h .
g∈F g∈F

Since B,b P and P 2 are invariant under the affine group, each coset X h D
satisfies
X hD = X hx + B b , h∈F
and is contained in P \ P 2 . Clearly D and X h D have the same weight
enumerator. The syndrome of a coset D = x + B b with x ∈ P \ P 2 is
(0, φ1 (x), φ3 (x)) where φ1 (x) 6= 0. Note that the weight of D is either 2 or
4 since D is contained in P.
Assume that φ3 (x) = 0. If there is a codeword of weight 2, say X u + X v ,
in D, then we have
φ3 (X u + X v ) = u3 + v 3 = 0 .
This leads to u = v (as m is odd, gcd(3, 2m − 1) = 1), a contradiction. So we
have proved that D is a coset of weight 4 when φ3 (x) = 0.
Now we will prove that there are exactly 2m (2m − 1) cosets D of weight
4 such that φ3 (X h x) = 0, for some h. First there are 2m − 1 cosets with
syndrome
(0 , φ1 (x) = β , φ3 (x) = 0) , β ∈ F∗ .
P
Let x = g∈F xg X g and compute the syndrome of X h x:
X X X
φ1 (X h x) = xg (h + g) = xg g + h xg = φ1 (x) = β
g g g

since the weight of x is even and by fixing β,

X X
φ3 (X h x) = xg (h + g)3 = xg (h3 + g 3 + hg 2 + gh2 )
g g
X X X X
= h3 xg + xg g 3 + h xg g 2 + h2 xg g
g g g g
2 2
= φ3 (x) + hβ + h β .
So φ3 (X h x) = φ3 (x) if and only if either h = 0 or h = β. Hence the set
{φ3 (X h x) | h ∈ F} has cardinality 2m−1 , corresponding to 2m−1 equivalent,
and distinct, cosets with syndromes
(0 , β , φ3 (X h x) = φ3 (x) + h2 β + hβ 2 ) , h ∈ F .

112
We then obtain exactly the 2m−1 (2m − 1) cosets that we expected. But this is
exactly the number of cosets of weight four contained in P \ P 2 (see Theorem
4.18), completing the proof

Now we come back to the Preparata codes. Recall that for any codeword
(x, y) ∈ P , x and y are in P. This shows that the Preparata codes
are constructed from even weight cosets of B b only. Our notation is that of
Theorem 4.18. The polynomials W(i) (X, Y ) are given in Table 10.
Theorem 4.20 Denote by W (X, Y ) the weight enumerator of the Preparata
code of length 2m+1 , m odd. Then :

W (X, Y ) = 2m (2m − 1) W(2) (X, Y ) W(4) (X, Y )

2
+(2m − 1) W(4) (X, Y )

2
+ W(0) (X, Y ) (59)

If we apply the MacWilliams identity to W (X, Y ), by using the formulas

of Table 10, we obtain the weight polynomial of the Kerdock code of length
2m+1 :

m −2(m−1)/2 m
K(X, Y ) = T 0 + 2m+1 (2m − 1)T 2 + (2m+2 − 2)T 2
m +2(m−1)/2 m+1
+2m+1 (2m − 1)T 2 + T2 (60)
m+1 −i
where T i = X 2 Y i.
We begin by proving two Lemmas.

Lemma 4.21 Consider the subcode L of the Preparata code P where

L = P ∩ { (x, y) | x ∈ P 2 } .

Then [
L= b × (x + B),
(x + B) b
x∈P 2

and the weight enumerator of L is equal to

2
2
(2m − 1) W(4) (X, Y ) + W(0) (X, Y ) . (61)

113
Proof: By definition x ∈ P 2 if and only if φ0 (x) = φ1 (x) = 0. Assuming
this we write conditions (a), (b) and (c) of Lemma 4.17. We get that a pair
(x, y) is in L if and only if

φ0 (x) = φ1 (x) = 0
φs (x) = φs (y) , s = 0, 1, 3 . (62)

Clearly (62) is equivalent to

b.
x ∈ P 2 and y ∈ x + B (63)

So any pair (x, y) of L belongs to (x + B) b × (x + B).

b Conversely x + Bb is
contained in P for any x ∈ P . According to (63) we have: for any x0 in
2 2

x+B b then (x0 , y) is in L for all y ∈ x + B,

b implying (x + B)
b × (x + B)
b ⊆ L.
When φ3 (x) = 0, then x ∈ B b and we obtain B b×B b ⊆ L. We have proved
that [
L=B b×B b b × (x + B).
(x + B) b
b
x∈P 2 \B

b are the cosets of B

The cosets (x + B) b of weight four which are contained in
P 2 . There are 2m − 1 such cosets. They have the same weight enumerator
(see Theorem 4.18).
On the other hand, the weight enumerator of any product of codes, say
A × A0 , is the product of the weight enumerator of A and the weight enu-
merator of A0 . The weight enumerator of L is immediate; one obtains (61)
with the notation of Table 10.

b
Lemma 4.22 Set I = P\ P 2 . Denote by δ(x) the weight of the coset (x+B).
Consider the subcode N of P where

N = P ∩ { (x, y) | x ∈ I } .

Then [
N= b × (x + z + B)
(x + B) b ,
x ∈ I, z ∈ P 2
φ3 (z) = φ1 (x)3
Moreover, for any product of cosets above, if δ(x) = 2 then δ(x + z) = 4 and
if δ(x) = 4 then δ(x + z) = 2.

114
 The weight enumerator of N is equal to

2m (2m − 1) W(2) (X, Y ) W(4) (X, Y ) .

Proof : By definition of P , the pair (x, y) is in P if and only if the product

of the cosets (x + B)b × (y + B)
b is in P . This is because φs (x + B)b = φs (x),
for s ∈ {0, 1, 3}, implying that the conditions of Lemma 4.17 hold for the
b generated by x and y. On the other hand, a coset x + B
cosets of B b is in I
if and only if it is an even weight coset such that φ1 (x) 6= 0. The weight of
any coset contained in I is either 2 or 4.
Let x and y be any elements of A and set z = x + y. The pair (x, y) is
in N if and only if x ∈ I and (x, y) ∈ P . This is clearly equivalent to

x ∈ I, z ∈ P 2 and φ3 (z) = φ1 (x)3 .

Indeed z ∈ P 2 , with x ∈ I, is equivalent to conditions (a) and (b) of Lemma

4.17. The last equality corresponds to condition (c).
b
Set β = φ1 (x) and denote respectively by D and D0 the cosets (x + B)
b If δ(x) = 4, we can suppose φ3 (x) = 0 (from Proposition 4.19
and (y + B).
and because Bb is affine-invariant). Then conditions (b) and (c) give

φ1 (y) = β and φ3 (y) = β 3 .

Hence the coset D0 contains the codeword X 0 + X β whose syndrome is ob-

viously (0, β, β 3 ). Conversely suppose that δ(x) = 2. Up to equivalence we
can assume that D contains the codeword x = X 0 + X β . Condition (c) gives

φ3 (x) + φ3 (y) = β 3 = β 3 + φ3 (y)

since φ3 (x) = β 3 . So φ3 (y) = 0 implying that D0 has weight four.

It is important to notice that for any given coset D, the coset D0 is
uniquely determined. Since there are 2m−1 (2m − 1) cosets of weight four and
2m−1 (2m − 1) cosets of weight two contained in I, we have 2m (2m − 1) cosets
in N . We obviously deduce the weight polynomial of N .


Proof of Theorem 4.20: The proof is easily deduced from the two previous
lemmas. The codewords (x, y) of P are such that x and y both have even
weight. So x (resp. y) is either in P\ P 2 or in P 2 . Obviously the code P is

115
equal to the union of L and N , two sets which do not intersect. Therefore
the weight enumerator of P is equal to the weight enumerator of L plus the
weight enumerator of N – these weight enumerators are given by Lemmas
4.21 and 4.22.
It is well-known that the weight enumerator of the Preparata code is the
MacWilliams transform of the weight enumerator of the Kerdock code; this
was proved by Semakov, Zaitsev and Zinoviev [151] (see also [111, ch.5,
§5]). We give another proof of this property.
The weight enumerator W(0) (X, Y ) is given by (55); the W(i) (X, Y ) are
given in Table 10. By using these formulas and (59), one computes the weight
enumerator of the code P and obtains
1 
+ (24m+1 − 23m+1 )U 2 −2
m+1 m (m−1)/2
W (X, Y ) = 4m+2 22m U 0 + 22m U 2
2 
2m +2(m−1)/2 2m
+ (2 4m+1
−2 3m+1
)U + (23m+2
−2 2m+1
)U

where U i = (X + Y )2 −i (X − Y )i . The MacWilliams transform of the

m+1

weight enumerator of the code P is

1
K(X, Y ) = W (X + Y, X − Y ).
22m+1 −2(m+1)
So, in the expression of W (X, Y ), U i is replaced by
m+1 −i m+1 m+1 −i
((X + Y ) + (X − Y ))2 ((X + Y ) − (X − Y ))i = 22 X2 Y i.

We obtain
m+1 m+1 m +2(m−1)/2 m −2(m−1)/2
K(X, Y ) = X 2 +Y2 + 2m+1 (2m − 1)X 2 Y2
m −2(m−1)/2 m −2(m−1)/2 m m
+ 2m+1 (2m − 1)X 2 Y2 + (2m+2 − 2)X 2 Y 2 ,

which is the weight enumerator of the Kerdock code, given in (60), completing
the proof.


Comments on Section 4.3 Note that the description of the automor-

phism group of Kerdock codes is to be found in [40].
bi is an example of nonequivalent codes which have
The class of codes B
the same weight distribution of cosets, as stated in Theorem 4.15. Note

116
that, according to Theorem 4.15, we could consider P (i) and the cosets of
Bbi throughout the section. We claim that the result given by Theorem 4.20
holds for any i.
The number of distinct weight enumerators of cosets of the primitive
2-error-correcting BCH codes, extended or not, is the same for any length
2m − 1. This number is four when m is odd; it is eight for m even. It is
respectively five and eight for the extended codes [55]. This property does
not hold for the 3-error-correcting BCH codes, providing several conjectures
(see [57]). Note that, however, the external distance of the 3-error-correcting
BCH codes is five (six for the extension) for any length. For these codes, the
external distance is a constant while the number of weight enumerators of
cosets increases with the length. The Gœthals codes are built from cosets of
the 3-error-correcting BCH codes and there is a direct definition analogous to
Definition 4.16 of these codes [12]; so it is possible to state a lemma analogous
to Lemma 4.17.
About the Preparata codes, our aim is to explain the following point
of view. Each code is a union of product sets C1 × C2 where C1 and C2
are cosets of the extended 2-error-correcting BCH code. By fixing C1 we
determine C2 , and vice-versa. So the definition of the codewords of P is
based on relations on these cosets and not on relations on the words of these
cosets. Furthermore we are not surprised that the weight enumerator of P
is in a certain sense not dependent on the construction of the code. This is
especially true for the cosets of weight four: there are two distinct kinds of
cosets of weight four and both have the same weight enumerator.
There are many other possible relations between the cosets which do not
change the weight enumerator. They could provide other constructions and
then other codes with the same weight enumerator. It could provide, for
instance, a construction of the Preparata-like code obtained in [75].

5 Conclusion
This chapter does not give an exhaustive overview of problems involving
unknown properties of cyclic codes. Our aim was to emphasize that research
on cyclic codes remains a topic of great interest for a large community.
We have focused on some problems which have been recognized as hard
for a long time. Therefore some recent new topics are not developed here.
The most famous example is the fast-expanding study of cyclic codes over

117
Zk , k not a prime, originated by the work of Hammons et al. [75] (in the
case k = 4)– see also the earlier paper due to Nechaev [119]. The authors
showed that some codes, not cyclic in the usual sense, can be viewed as
Z4 -cyclic codes. In [75], they conclude that this new point of view should
completely transform the study of cyclic codes. Our purpose is not in conflict
because we wish to develop the idea that important problems in cyclic codes
remain unsolved and necessitate new tools or new methods for going further.
This chapter is based on valuable discussions with a number of researchers
of the community. Particularly we want to express our gratitude to E.F.
Assmus, Jr, D. Augot, C. Carlet, T.P. Berger, J. Wolfmann and
V. Zinoviev for their contributions.
We would further mention N. Sendrier, A. Canteaut, and F. Levy-
dit-Vehel who have provided respectively Tables 2, 3 and 4 and gave in-
formation about all their numerical results.

References
[1] E.F. Assmus, Jr & V. Pless On the covering radius of extremal self-
dual codes, IEEE Transactions on Information Theory, vol. IT-29, n. 3,
May 1983.

[2] E.F. Assmus Jr & J.D. Key, Designs and their codes, Cambridge
Tracts in Mathematics, Volume 103, Cambridge University Press, 1992.

[3] E.F. Assmus, On the Reed-Muller codes, Discrete Mathematics 106/107

(1992) 25-33.

[4] D. Audibert & N. Sendrier, Distribution des poids des codes cy-
cliques binaires de longueur 63. INRIA-report Number 2299, July 1994.

[5] D. Augot, Etude algèbrique des mots de poids minimum des codes
cycliques. Méthodes d’algèbre linéaire sur les corps finis, Thèse de
l’Université Paris 6, Décembre 1993.

[6] D. Augot, Description of minimum weight codewords of cyclic codes by

algebraic system, Finite Fields and their Applications,2, 138-152 (1996)
pp. 138-152.

118
 [7] D. Augot, P. Charpin & N. Sendrier, The minimum distance of
some binary codes via the Newton’s Identities, EUROCODE’90, LNCS
514, pp. 65-73, Springer-Verlag.

[8] D. Augot, P. Charpin & N. Sendrier, Sur une classe de polynômes

scindés de l’algèbre F2m [Z], C. R. Acad. Sci. Paris, t.312, Série I, pp.
649-651, 1991.

[9] D. Augot, P. Charpin & N. Sendrier, Studying the locator polyno-

mials of minimum weight codewords of BCH codes, IEEE Transactions
Information Theory, vol. 38, n.3, pp. 960-973, May 92.

[10] D. Augot & N. Sendrier, Idempotents and the BCH bound, IEEE
Transactions on Information Theory, Vol. 40, N. 1, January 94, pp. 204-
207.

[11] D. Augot & F. Levy-dit-Vehel, Bounds on the minimum distance

of the duals of BCH codes , IEEE Transactions on Information Theory,
vol. 42, N0 4, July 1996, pp. 1257-1260.

[12] R.D. Baker, J.H. Van Lint & R.M. Wilson, On the Preparata and
Gœthals codes, IEEE Transactions on Information Theory, Vol. IT29,
N.3, May 83, pp. 341-5.

[13] L.A. Bassalygo & V.A. Zinoviev, Remark on uniformly packed

codes, translated from Problemy Peredachi Informatsii, vol. 13, N. 3,
pp. 22-25, July-September 1977.

[14] L.D. Baumert & R. J. McEliece, Weights of irreducible cyclic

codes, Information and Control 20, 158-175 (1972).

[15] L.D. Baumert & J. Mikkeltveit, Weight distributions of some ir-

reducible cyclic codes, JPL technical report, vol. 16, pp. 128-131, 1973.

[16] T. Becker & V. Weispfenning, Gröbner bases, a computationnal

approach to commutative algebra, Springer-Verlag, 1993.

[17] T. P. Berger, Automorphism groups and the permutation groups of

affine-invariant codes, Proceedings of Finite Fields and Applications
(third conference), Glasgow, England, London Mathematical Society,
Lecture Series 233, Cambridge University Press, pp. 31-45 (1996).

119
[18] T. P. Berger, On the automorphism group of affine-invariant codes,
Designs Codes and Cryptography, 7, 215-221 (1996), pp. 215-221.

[19] T. P. Berger, From Cyclic Alternant codes to Cyclic Goppa codes,

Proceedings of Finite Fields and Applications (4th conference), Water-
loo, Canada, 1998, to appear.

[20] T.P. Berger & P. Charpin, The automorphism group of Generalized

Reed-Muller codes, Discrete Mathematics 117 pp. 1-17, 1993.

[21] T.P. Berger & P. Charpin, The permutation group of affine-

invariant extended cyclic codes, IEEE Transactions on Information The-
ory, vol. 42, No. 6, November 1996, pp. 2194-2209.

[22] E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New-york,

1968.

[23] E.R. Berlekamp, The weight enumerators for certain subcodes of the
second order Reed-Muller codes, Info. and Control, 17(1970) 485-500.

[24] E.R. Berlekamp & J. Justesen, Some long cyclic linear binary codes
are not so bad, IEEE Transactions on Information Theory, IT-20, May
1974, pp. 351-356.

[25] S.D. Berman, On the theory of group codes, Kibernetika, Vol. 3, N. 1,

pp. 31-39, 1967.

[26] S.D. Berman, Semisimple cyclic and abelian codes, II, Kibernetika,
Vol. 3, N. 3, pp. 21-30, 1967.

[27] E. Biham & A. Shamir, Differential cryptanalysis of DES-like crup-

tosystems, Journal of Cryptology, Vol. 4 No. 1 (1991), pp. 3-72.

[28] V. Bezzateev & N.A. Shekhunova, A subclass of binary Goppa

codes with improved estimation of the code dimension, Designs, Codes
and Cryptography, to appear.

[29] R.E. Blahut, Transform techniques for error control codes, IBM J.
Res. Dev. 23 (1979), 299-315.

120
[30] F. Blanchet & G. Bommier, Binary quasi-cyclic Goppa codes, sub-
mitted – abstract in the Proceedings of “1997 IEEE International Sym-
posium on Information Theory”, p. 504, June 29 - July 4, 1997.

[31] M. de Boer & R. Pellikaan, Grobner bases for error-correcting

codes and their decoding in “Some tapas of computer algebra” (A.M.
Cohen, H. Cuypers and H. Sterk eds.) by Springer-Verlag, to appear.

[32] P. Bours, J.C.M. Janssen, M. van Asperdt & H.C.A. van

Tilborg, Algebraic decoding beyong eBCH of some binary cyclic codes,
when e > eBCH , IEEE Transactions on Information Theory, Vol. 36, No
1, January 1990, pp. 214-222.

[33] A.E. Brouwer & L.M.G.M. Tolhuizen, A Sharpening of the John-

son Bound for Binary Linear Codes, Designs, Codes and Cryptography,
vol. 3, No. 1, pp. 95-98, 1993.

[34] A.R. Calderbank, G. McGuire, P.V. Kumar & T. Helleseth,

Cyclic codes over Z4 , locator polynomials and Newton’s Identities, IEEE
Transactions on Information Theory, Vol. 42, N.1, January 96, pp. 217-
27.

[35] A.R. Calderbank, G. McGuire, B. Poonen & M. Rubinstein,

On a conjecture of Helleseth regarding pairs of binary m-sequences, IEEE
Transactions on Information Theory, Vol. 42, N. 3, May 1996, pp. 988-
990.

[36] P. Camion, C. Carlet, P. Charpin & N. Sendrier, On

correlation-immune functions, Advances in Cryptology, CRYPTO’91,
LNCS, Springer Verlag n◦ 576, 86-100.

[37] P. Camion & A. Canteaut, Construction of t-resilient functions over

a finite alphabet, EUROCRYPT’96, Advances in Cryptology, Lecture
Notes in Computer Science 1070, 283-293 (1996)

[38] A. Canteaut & F. Chabaud, A new algorithm for finding minimum

weight codewords in a linear code: application to primitive narrow-sense
BCH codes of length 511, IEEE Transactions on Information Theory, to
appear.

121
[39] C. Carlet, A transformation on Boolean functions, its consequences
on some problems related to Reed-Muller codes, EUROCODE’ 90, LNCS
n◦ 514, pp. 42-50, Springer-Verlag (1991).

[40] C. Carlet, The automorphism groups of the Kerdock codes, Journal of

Information & Optimization Sciences, Vol. 12(1991), No 3, pp. 387-400.
m
[41] C. Carlet, The divisors of x2 + x of constant derivatives and degree
2m−2 , SIAM Journal on Discrete Math., vol 7, no 2, 238-244 (1994).

[42] C. Carlet, Two new classes of bent functions, Proceedings of EURO-

CRYPT’ 93, Advances in Cryptology, LNCS, n◦ 765, 77-102.

[43] C. Carlet, Partially-bent functions, Designs Codes and Cryptography,

3, 135-145 (1993).

[44] C. Carlet, P. Charpin & V. Zinoviev, Codes, Bent Functions and

Permutations Suitable For DES-like Cryptosystems, submitted.

[45] C. Carlet, P. Guillot, An alternate characterization of the bentness

of binary functions, with uniqueness, Designs Codes and Cryptography,
to appear.

[46] G. Castagnoli, J.L. Massey, P.A. Schoeller & N. von See-

man, On repeated-root cyclic codes, IEEE Transactions Inform. Theory
IT-37 (1991), pp. 337-342.

[47] A.G. Cerveira, On a class of wide-sense binary BCH codes whose

minimum distance exceed the BCH bound, IEEE Transactions on Infor-
mation Theory, 14(1968) 784-785.

[48] F. Chabaud & S. Vaudenay, Links between differential and linear

cryptanalysis, Proceedings of EUROCRYPT”94, Advances in Cryptol-
ogy, LNCS, n◦ 950, 356-366.

[49] P. Charpin, The extended Reed-Solomon codes considered as ideals of

a modular algebra, Annals of Discrete Mathematics 17(1983), 171-176.

[50] P. Charpin, A description of some extended cyclic codes with applica-

tion to Reed-Solomon codes, Discrete Mathematics 56 (1985) 117-124.

122
[51] P. Charpin, Codes cycliques étendus invariants sous le groupe affine,
Thèse de Doctorat d’Etat, Univ. PARIS VII, 1987.

[52] P. Charpin, Codes cycliques étendus affines-invariants et antichaines

d’un ensemble partiellement ordonné, Discrete Mathematics 80 (1990),
229-247.

[53] P. Charpin, On a class of primitive BCH codes, IEEE Transactions on

Information Theory, vol. 36, pp. 222-228, Number 1, 1990.

[54] P. Charpin & F. Levy-dit-Vehel, On self-dual affine-invariant

codes, Journal of Combinatorial Theory, Series A, Vol. 67, N. 2, Au-
gust 1994, p. 223-244.

[55] P. Charpin, Weight Distributions of Cosets of 2-Error-Correcting Bi-

nary BCH Codes, Extended or not, IEEE Transactions on Information
Theory, vol. IT-40, pp. 1425-1442, Sept. 1994.

[56] P. Charpin, Tools for cosets weight enumerators of some codes, Pro-
ceedings of “Finite Fields: Theory, Applications and Algorithmes”, AMS
publication, Contemporary Mathematics, vol. 168, 1994, pp. 1-13.

[57] P. Charpin & V. Zinoviev, On coset weight distributions of the 3-

error-correcting BCH codes, SIAM Journal of discrete Mathematics, Vol.
10, No. 1, pp. 128-145, February 1997.

[58] P. Charpin, A. Tietäväinen & V. Zinoviev, On binary cyclic codes

with d = 3, Problems of Information Transmission, vol. 33, No 3 (1997).

[59] X. Chen, I.S. Reed, T. Helleseth & T.K. Truong, Use of

Gröbner bases to decode binary cyclic codes up to the minimum distance,
IEEE Transactions on Information Theory, vol. 40, N.5, September 94,
pp. 1654-1661.

[60] X. Chen, I.S. Reed, T. Helleseth & T.K. Truong, General prin-
ciples for the algebraic decoding of cyclic codes, IEEE Transactions on
Information Theory, vol. 40, N.5, September 94, pp. 1661-63.

[61] S.D. Cohen, The length of primitive BCH codes with minimal covering
radius, Designs, Codes and Cryptography, 10, 5-16 (1997).

123
[62] G.D. Cohen, S.N. Litsyn, A.C. Lobstein, H.F. Mattson,Jr,
Covering radius 1985-1994, Applicable Algebra in Engineering, Com-
munication and Computing, Vol. 8, No. 3, 1997.
[63] P. Delsarte & J.M. Gœthals, Irreducible binary cyclic codes of
even dimension, in: Combinatorial Mathematics and its Applications,
Proc. Second Chapel Hill Conference, May 70 (Univ. of North Carolina,
Chapel Hill, N.C.,1970) pp. 100-113.
[64] P. Delsarte, J.M. Gœthals & F.J. MacWilliams On generalized
Reed-Muller codes and their relatives, Info. and Control, 16 (1974) 403-
442.
[65] Y. Desaki, T. Fujiwara & T. Kasami, The weight distributions of
extended binary BCH codes of length 128, IEEE Transactions on Infor-
mation Theory, to appear.
[66] H. Dobbertin, Almost perfect nonlinear power functions on GF (2n ),
submitted.
[67] G. Feng & K.K. Tzeng, A new procedure for decoding cyclic and BCH
codes up to actual minimum distance, IEEE Transactions on Information
Theory, vol. 40, N.5, September 94, pp. 1364-74.
[68] K.O. Geddes, S.R. Czapor & G. Labahn, Algorithms for computer
algebra, Kluwer Academic Publishers, 1992.
[69] A. M. Gleason, Weight polynomials of self-dual codes and
the MacWilliams identities, in: Actes Congrés International de
Mathématiques, 3 1970 (Gauthier-Villars, Paris, 1971) 211-215.
[70] J.M. Gœthals, Factorisation of cyclic codes, IEEE Transactions on
Information Theory, vol. IT-13, pp. 242-246, April 1967.
[71] J.M. Gœthals & S.L. Snover, Nearly perfect codes, Discrete Math-
ematics 3 (1972) 64-88.
[72] J.M. Gœthals & H.C.A. van Tilborg, Uniformly packed codes,
Philips Res. Repts 30, 9-36, 1975.
[73] J.R. Griggs, Maximum antichains in the product of chains, Order
1(1984), 21-28.

124
[74] V.D. Goppa, A new class of linear error-correcting codes, Problemy
Peredachi Informatsii 6(1970), 24-30.

[75] A.R. Hammons, Jr., P.V. Kumar, A.R. Calderbank, N.J.A.

Sloane & P. Solé, The Z4 -linearity of Kerdock, Preparata, Gœthals,
and related codes, IEEE Transactions on Information Theory, V. 40, N.2,
(March 1994), pp. 301-319.

[76] H.J. Helgert & R.D. Stinaff. Shortened BCH codes, IEEE Trans-
actions on Information Theory, November 1973, pp. 818–820.

[77] T. Helleseth, On the covering radius of cyclic linear codes and arith-
metic codes, Discrete Applied Mathematics, 11(1985), pp. 157-173.

[78] T. Helleseth & P.V. Kumar, On the weight hierarchy of the

semiprimitive codes, Discrete Mathematics 152 (1996) 185-190.

[79] T. Helleseth, T. Klove & J. Mikkeltveit, The weight distribu-

tion of irreducible cyclic codes with block lengths n1 ((q ` −1)/N ). Discrete
Mathematics 18(1977) 179-211.

[80] W.C. Huffman, The automorphism groups of the generalized quadratic

residue codes, IEEE Transactions on Information Theory, vol. 41, N.2,
March 1995, 378-386.

[81] H. Janwa & R.M. Wilson, Hyperplane sections of Fermat varieties

in P 3 in char. 2 and some applications to cyclic codes, in Proceedings
AAECC-10 (G. Cohen, T. Mora and O. Moreno Eds), LNCS 673, pp.
180-194, Springer-Verlag, New York/Berlin, 1993.

[82] H. Janwa, G. McGuire & R.M. Wilson, Double-error-correcting

codes and absolutely irreductible polynomials over GF(2), Journal of Al-
gebra 178, 665-676 (1995).

[83] W.M. Kantor, On the inequivalence of generalized Preparata codes,

IEEE Transactions on Information Theory, Vol. IT-29, N. 3, May 1983,
pp. 345-348.

[84] T. Kasami, Some lower bound on the minimum weight of cyclic codes
of composite length, IEEE Transactions on Information Theory, vol. 14,
N.6, November 1968, pp. 814-818.

125
[85] T. Kasami, S. Lin & W.W. Peterson, Polynomial codes, IEEE
Transactions on Information Theory, Vol. 14, N. 6, Novembre 1968, pp.
807-814.

[86] T. Kasami, An upper bound on k/n for affine-invariant codes with fixed
d/n, IEEE Transactions on Information Theory, 15(1969) 174-176.

[87] T. Kasami, Weight distributions of Bose-Chaudhuri-Hocquenghem

Codes, in: R.C. Bose and T.A. Dowlings, eds, Combinatorial Math. and
Applications, (Univ. of North Carolina Press, Chapel Hill, NC, 1969)
Ch. 20.

[88] T. Kasami, The weight enumerators for several classes of subcodes of

the 2nd order binary Reed-Muller codes, Info. and Control, 18(1971)
369-394.

[89] T. Kasami & S. Lin. Some results on the minimum weight of primitive
BCH codes, IEEE Transactions on Information Theory, November 1972,
pp. 824–825.

[90] T. Kasami, S. Lin & W.W. Peterson Some results on cyclic codes
which are invariant under the affine group and their applications, Info.
and Control, vol. 11, pp. 475-496 (1967).

[91] T. Kasami, S. Lin & W.W. Peterson New generalisations of the

Reed-Muller codes. Part I: Primitive codes, IEEE Transactions on Infor-
mation Theory, vol. IT-14, pp. 189-199 (1968).

[92] T. Kasami, N. Tokura, On the weight structure of Reed-Muller codes,

IEEE Transactions on Information Theory, Vol. IT-16, N.6, Novembre
1970, pp. 752-825.

[93] T. Kasami & N. Tokura, Some remarks on BCH bounds and min-
imum weights of binary primitive BCH codes, IEEE Transactions on
Information Theory, vol. 15, N. 3, May 1969, pp. 408–413.

[94] G. Lachaud & J. Wolfmann, The weights of the orthogonals of the

extended quadratic binary Goppa codes, IEEE Transactions on Informa-
tion Theory, 36(1990) 686-692.

126
[95] P. Langevin, A new class of two weight codes, Proceedings of Finite
Fields and Applications (third conference), Glasgow, Grande Bretagne,
London Mathematical Society, Lecture Series 233, Cambridge University
Press, pp. 181-187 (1996).
[96] P. Langevin & J.P. Zanotti, Linear codes with balanced weight dis-
tribution, Applied Algebra in Engineering Communication and Comput-
ing, vol.6, 299-307 (1995).
[97] F. Laubie, Codes ideaux de certaines algèbres modulaires et ramifica-
tion, Communications in Algebra, 15(5), 1001-1016 (1987).
[98] D. Lazard, Systems of algebraic equations (algorithms and complexity),
Proceedings of Cortona Conference, University of Carolina Press, 1993.
[99] J.S. Leon, J.M.Masley & V. Pless, Duadic codes, IEEE Transac-
tions on Information Theory, vol. IT-30, 1984, 709-714.
[100] F. Levy-dit-Vehel, Divisibilité des codes cycliques: Applications et
prolongements, Thèse de l’Université Paris 6, 1994.
[101] F. Levy-dit-Vehel, Bounds on the minimum distance of the duals of
extended BCH codes over Fp : Applied Algebra in Engineering Commu-
nication and Computing, vol.6 n0 3, pp.175-190, 1995, Springer-Verlag.
[102] R. Lidl & H. Niederreiter, Finite Fields, Encyclopedia of math-
ematics and its applications 20, Cambridge University Press, Second
edition, 1997.
[103] S. Lin & E.J. Weldon, Further results on cyclic product codes, IEEE
Transactions on Information Theory, vol. IT-16, N. 4, pp. 452-459, July
1970.
[104] R.J. McEliece, Quadratic forms over finite fields and second order
Reed-Muller codes, JPL Space Programs Summary, 37-58-III (1969) 28-
33.
[105] R.J. McEliece, Weight congruence for p-ary cyclic codes, Discrete
Mathematics 3(1972) 177-192.
[106] R.J. McEliece & H. Rumsey, Euler products, cyclotomy and coding,
J. Number Theory, Vol. 4, N. 3, pp. 302-311, June 1972.

127
[107] R.J. McEliece, A public-Key cryptosystem based on algebraic coding
theory, DSN Progress Report 42-44, Jet Propulsion Laboratory 1978,
pp114-116.

[108] R.J. McEliece, Irreducible cyclic codes and Gauss sums, in: M. Hall,
Jr and J.H. van Lint, eds, “Combinatorics”, (Reidel, Dordrecht, 1975)
pp. 185-202.

[109] R.J. McEliece & D.V. Sarwate, On Sharing secrets and Reed-
Solomon codes, Commun. of the ACM, 24:583-584, 1981.

[110] F.J. Macwilliams & J. Seery, The weight distributions of some

minimal cyclic codes, IEEE Transactions on Information Theory, Vol.
IT-27, N.6, November 1981, pp. 796-806.

[111] F.J. Macwilliams & N.J.A. Sloane The theory of Error Correct-
ing Codes, North-Holland 1986.

[112] J.P. Martin, Codes et suites à racines multiples, Thèse de l’Université

de Toulon et du Var, January 1994.

[113] J.P. Martin, Construction of the best binary cyclic codes of even
length, EUROCODE’ 92, CISM Courses and Lectures n◦ 338, 65-76,
Springer-Verlag, Wien - New-York.

[114] J.L. Massey, D.J. Costello, Jr., & J. Justesen, Polynomial

weights and code construction, IEEE Transactions on Information The-
ory, Vol. IT-19, N.1, January 1973, pp. 101-110.

[115] J.L. Massey & T. Schaub, Linear complexity in coding theory, in

Coding theory and Applications, LNCS vol.311, pp. 19-32, Springer-
Verlag 1988.

[116] J.L. Massey, Minimal codewords and secret sharing, Proceedings of

the 6th Joint Swedish-Russian International Workshop on Information
Theory 1993, pp. 276-279.

[117] J.L. Massey, Some applications of coding theory in cryptography, in

“Codes and Ciphers: Cryptography and Coding IV” (Ed. P.G. Farell),
Essex, England: Formara Ltd., 1995, pp.33-47.

128
[118] M. Matsui, Linear cryptanalysis method for DES cipher, EURO-
CRYPT’93 Advances in Cryptography, Lecture Notes in Computer Sci-
ence 765, p. 386-397 (1994).

[119] A.A. Nechaev, Kerdock code in a cyclic form, Discrete Math. Appl.,
Vol.1, N.4, pp. 365-384 (1991).

[120] G. Pasquier, The binary Golay code obtained from an extended cyclic
code over F8 , European Journal of Combinatorics, vol 1,pp. 369-370,
1980.

[121] G. Pasquier, A binary extremal doubly even self-dual code [64, 32, 12]
obtained from an extended Reed-Solomon code over F16 , IEEE Trans-
actions on Information Theory, Vol. IT-27, N. 6, November 1981, pp.
807-808.

[122] R.L. Pele, Some remarks on the vector subspaces of a finite field, AF
Cambridge Research Labs., Bedford, Mass., Scientific Rept, AFCRL-66-
477.

[123] W.W. Peterson & E.J. Weldon, Error-Correcting Codes,, MIT

Press, 1961.

[124] V. Pless, Power moment identities on weight distributions in error-

correcting codes, Info. and Control, 6(1963) 147-152.

[125] J.C.C.M. Remijn & H.J. Tiersma, A duality theorem for the weight
distribution of some cyclic codes, IEEE Transactions on Information
Theory, Vol. 34, n. 5, September 1988, pp. 1348-1351.

[126] F. Rodier, On the spectra of the duals of binary BCH codes of designed
distance δ = 9, IEEE Transactions on Information Theory, 38(1992)
478-479

[127] T. Schaub, A linear complexity approach to cyclic codes, Dissertation,

Swiss Federal Institute of Technology, Zuerich 1988.

[128] J. Seberry, X. Zhang & Y. Zheng, Nonlinearly balanced

boolean functions and their propagation characteristics, Proceedings of
CRYPTO”93, Advances in Cryptology, LNCS, n◦ 773, 49-60.

129
[129] N. V. Semakov & V. A. Zinoviev, Balanced codes and tactical
configurations, Problems of Info. Trans., 5(3)(1969) 22-28.
[130] N.V. Semakov, V.A. Zinoviev & G.V. Zaitsev, Uniformly packed
codes, Problems of Information Transmission, vol. 7, No 1, pp. 38-50.
1971.
[131] K.K. Shen, C. Wang, K.K. Tzeng & B.Z. Shen, Generation of
matrices for determining minimum distance and decoding of cyclic codes,
IEEE Transactions on Information Theory, vol. 42, N. 2, March 1996,
pp. 653-657.
[132] N.J.A. Sloane & J.G. Thompson, Cyclic self-dual codes, IEEE
Transactions on Information Theory, Vol. IT-29, N. 3, May 1983, pp.
364-366.
[133] A.B. Sorensen, Projective Reed-Muller codes, IEEE Transactions on
Information Theory, vol. 37, N. 6, November 1991, pp. 1567-1576.
[134] H. Stichtenoth, Which extended Goppa codes are cyclic, Journal of
Combinatorial theory, Series A 51, 205-220 (1989).
[135] T. Sugita, T. Kasami & T. Fujiwara, The weight distribution of
the third order Reed-Muller code of length 512, IEEE Transactions on
Information Theory, Vol. 42, N. 5, September 1996, pp. 1622-25.
[136] A. Tietäväinen, On the covering radius of long binary BCH codes,
Discrete Applied Mathematics 16(1987), pp. 75-77.
[137] J.A. Thiong-Ly, Automorphisms of two families of extended non bi-
nary cyclic Goppa codes, LNCS Vol.229, pp. 112-121, Springer-verlag,
New-York/Berlin, 1985.
[138] M. van der Vlugt, The true dimension of certain binary Goppa
codes, IEEE Transactions on Information Theory, Vol. 36, N. 2, March
1990, pp. 397-398.
[139] J.H. van Lint, Introduction to Coding Theory, Graduate Texts in
Math. Vol.86,, Springer-Verlag, Berlin/Heidelberg/New-york, 1982.
[140] J.H. van Lint, Repeated-root cyclic codes, IEEE Transactions on In-
formation Theory, Vol-37, N. 2, March 1991, pp. 343-345.

130
[141] J.H. van Lint & R.M. Wilson, On the minimum distance of cyclic
codes, IEEE Transactions on Information Theory, 32(1):23, January
1986, pp. 23-40.

[142] J.H. van Lint & R.M. Wilson, Binary cyclic codes generated by
m1 m7 , IEEE Transactions on Information Theory, 32(2):283, March
1986, p. 283.

[143] H.C.A. van Tilborg, On weights in codes, Report 71-WSK-03,

Department of Mathematics, Technological University of Eindhoven,
Netherlands, December 1971.

[144] M. van der Vlugt, Non-BCH triple-error-correcting codes, IEEE

Transactions on Information Theory, Vol. 42, No. 5, September 1996,
pp. 1612-1614.

[145] P. Véron, Goppa Codes and Trace Operator, IEEE Transactions on

Information Theory, to appear, January 1998.

[146] J. Wolfmann, New bounds on cyclic codes from algebraic curves,

in Lecture Notes in Computer Science, vol.388,p.47-62, Springer-Verlag
1989.

[147] J. Wolfmann, The weights of the dual of the Melas code over GF (3),
Discrete Mathematics, Vol. 74, 1989, pp. 327-329.

[148] J. Wolfmann, The number of solutions of certain diagonal equations

over finite fields, J. of Number Theory, vol. 42, pp. 247-257, 1992.

[149] J. Wolfmann, New results on diagonal equations over finite fields

from cyclic codes, AMS publication, Contemporary Mathematics, vol.
168, 1994, pp. 387-395.

[150] J. Wolfmann, Weight distribution of some binary primitive cyclic

codes, IEEE Transactions on Information Theory, Vol. 40, N0 6, Novem-
ber 1994, pp. 2068-71.

[151] G.V. Zaitsev, V.A. Zinoviev & N.V. Semakov, On duality of

Preparata and Kerdok codes, Proceedings of the Fifth All-Union Confer-
ence on Coding Theory, Part 2, Moscow-Gorkyi, 1972, pp. 55-58.

131
[152] J.P. Zanotti, Codes à distribution de poids equilibrée, Thèse de
l’Université de Toulon et du Var, January 1995.

[153] J.P. Zanotti, Automorphism Groups of BWD codes, Journal of Com-

binatorial Theory, Series A, Vol. 78, No 2, May 1997, pp. 303-308.

[154] K.H. Zimmermann, On generalizations of repeated-root cyclic codes,

IEEE Transactions on Information Theory, vol.42, N. 2, March 1996,
pp. 641-649.

132
Index
p-ary.RM code, 18 generalized.RS code, 80
generator system.affine-invariant code,
affine-invariant code, 16, 68 21
affine.polynomial, 40 Goppa code, 74
almost bent.function, 71 group algebra.code, 3
almost perfect nonlinear.function, 71
alternant code, 70, 80 Hartmann–Tzeng bound, 56
antichain, 17
asymptotically good.cyclic code, 69 idempotent, 36
automorphism group of.cyclic code, 68 irreducible cyclic code, 68
irreducible.cyclic code, 14, 64
BCH bound, 19, 38, 45
BCH code, 2, 11, 50, 75, 76, 78 Kerdock code, 80
Boolean function, 71 Kloosterman sum, 66
border of.affine-invariant code, 17 linear.polynomial, 40
border of.RS code, 18 locator, 26
Carlitz-Ushiyama.bound, 45, 48 locator polynomial, 27, 41, 78
codeword of.BCH code, 38 Mattson-Solomon.polynomial, 3, 5, 76,
completely regular.code, 81 83
cryptographic primitive, 71 McEliece cryptosystem, 70, 74
cryptography, 70 Melas code, 55, 66
cyclic code, 2, 3 minimal.polynomial, 37
cyclic.Goppa code, 76 minimum distance.BCH code, 40, 45
defining set of.cyclic code, 5 minimum weight codeword.GRM code,
diagonal equation, 14 41, 43
divisibility of.cyclic code, 49, 50, 66 Newton identities, 26, 28
double-error-correcting.BCH code, 81 non linear.affine-invariant codes, 69

elementary symmetric function, 27 non linear.cyclic code, 68

equivalent.cyclic code, 69 Pless power moments, 56
Fourier transform, 3, 5 polynomial.code, 3
poset of.affine-invariant code, 17
generalized.Newton identities, 27, 30 power sum function, 27
generalized.Reed-Muller code, 2, 11 Preparata code, 80

133
primitive form of.cyclic code, 14
primitive.cyclic code, 3, 12
projective.GRM code, 54

quadratic residue code, 2, 11, 33, 68,

70
quasi-cyclic.Goppa code, 77

radical, 21
rank-bounding.algorithm, 49
Reed-Muller code, 51, 70, 83
Reed-Solomon code, 2, 11, 23
repeated-root.cyclic code, 3, 5, 69

self-dual.affine-invariant code, 23, 25

self-dual.cyclic code, 12
self-dual.Reed-Muller code, 24, 51
self-orthogonal.cyclic code, 20
sequences, 55
size.affine-invariant code, 21
splitting field, 36

two-weights.cyclic code, 66

uniformly packed.code, 81

weight enumerator.BCH code, 49

weight enumerator.cyclic code, 49
Weil bound, 48, 50, 55
with two zeros.cyclic code, 54, 71, 81

134